EDITOR ’ S QUESTION
HOW IS GDPR HELPING TO PROTECT CROSS- BORDER PAYMENTS AND CUSTOMER DATA ?
DLA Piper has published the findings of its annual GDPR and Data Breach Survey . The Europe-wide survey has revealed another record year with a 168 % year-on-year increase in the total value of fines issued across Europe .
Among the largest fines levied were those against Meta Platforms Ireland ( Meta ), demonstrating that social media , and its reliance on extensive processing of personal data , have been a particular focus of regulatory action .
Several of the largest fines imposed against Meta by the Irish DPC relate to Facebook and Instagram ’ s behavioural profiling of users and whether the lawful basis of ‘ contract necessity ’ can be used to legitimise the mass harvesting of personal data . While the Irish DPC originally concluded that this was possible , the European Data Protection Board disagreed . The resulting fines raise serious questions about the grand bargain struck between consumers and service providers and how ‘ free ’ online services will be funded going forward . Given what is at stake , DLA Piper expects these decisions to be appealed and years of subsequent litigation .
The survey also reveals a year which saw the volume of data breaches notified to supervisory authorities decrease slightly against the previous year ’ s total . The average daily total dropped from 328 notifications per day to 300 per day in 2022 . This may in part be a sign that organisations are becoming more wary of notifying data breaches to regulators for fear of investigations , fines and compensation claims .
While personal data issues around advertising and social media have dominated headlines , there is a growing focus on Artificial Intelligence and the role of personal data used to train AI .
The survey also reports some notable decisions made by data protection supervisory authorities in 2022 , considering the application of the Schrems II and Chapter V GDPR requirements to specific international transfers of personal data . Data protection supervisory authorities have argued that it is not possible to adopt a risk-based approach when assessing transfers of personal data to ‘ third countries ’; arguing that transfers are prohibited if the mere possibility of foreign governmental access gives rise to any risk of harm .
“ A proportionate , risk-based approach to GDPR ’ s restrictions on international transfers of personal data is not just permitted but , in our view , legally required ,” said Ewa Kurowska-Tober , Global Co-Chair Data Protection and Cybersecurity at DLA Piper . “ Adopting an ‘ absolutist ’ approach to transfer restrictions and effectively outlawing any transfer of personal data , however trivial the risk of harm , risks real lasting harm to consumers . Transfers have many benefits for consumers and for society , by ensuring the rapid development and rollout of vaccines , by enabling effective oversight and regulation of business and by providing access to online services enjoyed by billions of people .”
Here , we speak to three industry experts about how GDPR protects cross-border payments and customer data . . . .
34 INTELLIGENTCIO EUROPE www . intelligentcio . com