Increasing penalties and a stronger enforcement approach in Europe should be an indication that there will be increasing enforcement action (and consequences) under the Australian privacy regime, argues one global law firm partner.
In its recently released “GDPR data breach survey: January 2020”, global firm DLA Piper found that – for the period between 28 January 2019 and 27 January 2020 – there were 278 breach notifications per day on average across the European Economic Area (i.e. the area covering all 28 member states of the European Union).
That amounted to a 12.6 per cent increase from the period from 25 May 2018 to 27 January 2019, the firm noted, which had an average of 247 breach notifications per day.
That said, it would be “unwise to assume” that low and infrequent fines will be the norm going forward, DLA posited.
“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime. It takes time to build a robust case to justify higher fines. We expect to see more multimillion euro fines in the coming year,” it wrote.
“Fines certainly aren’t the only potential exposure for organisations which fall short of GDPR’s exacting requirements. Supervisory authorities enjoy a wide range of powers to impose other sanctions including in some countries’ ability to publicly name and shame the wrongdoer.”
There is also an increased risk of “follow-on” compensation claims, DLA continued, such as group litigation “which [follows] a regulatory finding of liability”.
“Litigation funders have billions of euros available to fund claims and – where local civil procedure rules permit – are becoming increasingly active pursuing group litigation claims for large groups of affected individuals on the basis of alleged breaches of GDPR and data protection laws,” it said.
“Recent UK group litigation claims based on data protection law infringements would be very familiar to US class action lawyers.”
In conversation with Lawyers Weekly, DLA Piper IP and technology partner Nicholas Boyle said that the potential financial impact of GDPR means it will be critical for in-house teams in Europe to work closely with the business to understand and implement measures to comply with the requirements of GDPR.
“Privacy, cyber and information security are at the top of the list for both the executive teams and boards of corporates, which means that compliance in these areas is a key focus for businesses, and in-house counsel have an opportunity and responsibility to be trusted advisers on these issues,” he said.
“In particular, in-house counsel should emphasise that privacy compliance is an organisation-wide matter – for example, everyone in the organisation should receive regular training, and it isn’t just something [that] can be addressed by IT departments installing additional software or configuring systems in a particular way.”
When asked if there are any specific lessons for Australian legal counsel, Mr Boyle said that the increasing penalties and increased enforcement approach in Europe “should be an indication that it is likely that in the near to medium term there will be increasing enforcement action (and consequences) under the Australian privacy regime”.
“Dealing with this type of regulatory environment is already a reality for many Australian businesses that have operations in Europe or are tech-based businesses with a global customer base, and indeed, it is not dissimilar to other areas of regulation domestically in the wake of the Hayne royal commission,” he explained.
“In-house teams in Australia should, like their European counterparts, be making the case that privacy compliance is an organisation-wide issue, and that protecting the privacy of individuals should [be] considered in every aspect of an organisation’s business – from product design, to sales and services processes, to responding to customer complaints, and HR and employment processes.