First Year Of GDPR Application: Boom Of DPOs And New Strategies For US Companies

Updated on

TBS Business School Law Professor Gregory VOSS, specialized in data privacy, analyzes the first year of GDPR application.

It has now been one year since the European Union’s General Data Protection Regulation (GDPR) has become applicable. While criticism of the GDPR still is voiced in certain circles, the focus of the US tech giants’ corporate political activity has shifted mainly to the United States where there is discussion of a potential federal privacy law.


Q1 hedge fund letters, conference, scoops etc

Awareness-raising has gone on and complaints of GDPR violations increased compared to those under previous law. For example, the French CNIL registered a 32.5% increase in complaints in 2018 over 2017. Meanwhile, the privacy profession has boomed, with an estimated 500,000 data protection officers (DPOs) (IAPP estimate), which are required for many companies under the GDPR, being registered across Europe.  Many international companies have also been working to adjust their procedures to comply with the GDPR, although sometimes with varying interpretation of its provisions.

Administrative fines for companies may, in the most serious cases, go up to a maximum of €20 million or 4% of annual global turnover (whichever is greater), which may amount to billions of euros for the tech giants, in addition to other sanctions such as orders to halt data processing. While the fines issued during the GDPR’s first year have been much less than such maximum amounts—for example, Google was fined €50 million by the French CNIL, far below the maximum of approximately €3 billion—, data protection authorities, such as that of Ireland, have warned of fines to come being “substantial.” That we haven’t seen more large fines to date is due in part to the GDPR fines only applying to data protection violations since May 25, 2018, and the fact that it takes time to conduct investigations.

How US companies adapt their strategy to the European regulation?

The degree of compliance with the GDPR may also be an element of legal strategy. Already US companies have been seen to have different compliance strategies. While some companies such as media outlets have sought to avoid the GDPR by blocking potential EU users, the tech giants have either sought a minimal level of compliance with the regulation or have chosen to take a more strategic approach to the GDPR by embracing compliance and, for example, offering GDPR-like protection to their consumers worldwide.

This latter strategy may have advantages in terms of efficiencies in streamlining procedures for all customers, and as preparation for legal developments worldwide as the GDPR influences laws in countries and states outside of the European Union, including California. The result may also be greater consumer trust.

A further measure could involve combining the roles of the required DPO with their current Chief Privacy Officer and making the officer responsible for worldwide data protection law compliance. At the base of such actions would be the adoption of European Union’s definition of the kinds of data that are subject to protection – its definition of “personal data” – which is the broad definition that is included in cross-border data transfer mechanisms, as well, and which companies must first understand.

Based on: W.G. Voss & K.A. Houser: Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies. American Business Law Journal  Volume 56, Issue 2, Summer 2019; 287-344: DOI 10.1111/ablj.12139.

American Business Law Journal can be accessed at:

Leave a Comment