European regulators handed out fines adding up to €1.64bn in 2022, a year-on-year increase of 50%. How this will evolve “is of course always difficult to anticipate but I think the tendency is that there will continue to be an increase [in fines],” says Olivier Reisch. The bulk of the increase over the last twelve months can be attributed to large fines given by Ireland’s authorities to Facebook’s parent company Meta. “I would expect that there will be more fines in other countries as well,” says Reisch.
The number of data breaches reported fell over the twelve-month period, going from 328 notifications on an average day to around 300. Though the survey ascribes this phenomenon partly to businesses’ fear of further investigations into their data protection measures, Reisch talks of a certain sophistication of companies and their strategies. “They are getting better at keeping the data safe,” he says, and on the legal side are becoming more aware of what constitutes an actual data breach and what doesn’t.
But, says David Alexandre, as technology evolves and companies rely more heavily on data for their development, the criteria for sanctions might change. Regulators could possibly start looking more closely into cyberattacks and determine whether companies undertook the necessary steps to protect their clients’ data. Five years after the European directive was introduced in 2018, “the issue is not whether companies should be compliant, because most of our clients are now compliant to some extent,” says Alexandre. Instead, it will be interesting to see how regulators sanction cyberattacks--“especially the technical aspect of it.”
The main risk is probably that once you have that many regulations going in different directions, you start seeing regulations that contradict each other.
Tensions between tech companies and regulators
Also identified in DLA Piper’s survey is a tension between certain types of companies and EU regulators, especially online platforms like Meta or Amazon. The grand duchy’s national commission for data protection (CNPD) for instance for the highest sanction on GDPR violations by fining Amazon €746m in 2021.
The incompatibility between data protection and these platforms’ ‘grand bargain’--the ‘free’ services provided to customers in exchange for their data--could threaten the attractiveness of European countries for companies relying on data mining to improve and grow. The crackdown on online platforms is “a lot of pressure for countries” like Luxembourg and Ireland, which have been attracting a lot of tech entrepreneurs and global firms, says Reisch. This pressure comes not just only from local regulators but also from other countries and customers.
Businesses will have to find new ways to monetise their services, says Reisch. They either have to become more compliant and offer less services or they must redefine their relationship with the consumer. But, “the main risk is probably that once you have that many regulations going in different directions, you start seeing regulations that contradict each other. And as a company you then have to decide which regulation you give preference to,” says Reisch. Companies may end up not knowing what they need to do to be fully compliant.”
“It’s a good thing to regulate and to ensure consumer protection but is it a good thing when it is starting to become cumbersome for the business?”
A cocoon for innovation
So, the issue is that the overregulation on data protection could lead to companies losing an oversight of what will make them compliant. “It’s a bit of a tight red line for Europe to be on as well,” says Reisch. “On one hand, you want to be on the forefront of consumer-friendly legislation, protect the +400m people in the EU. On the other hand, too much regulation can stifle innovation.”
“It’s a good thing to regulate and to ensure consumer protection but is it a good thing when it is starting to become cumbersome for the business?” asks Alexandre. In a global and competitive environment, being business-friendly and respecting EU rules “is a hard balance to strike” so “companies and regulators have to work together.” “This is starting to happen in Luxembourg,” reassures Reisch.
“Companies should continue to innovate and have ambitious projects but they should get legal advice.
Another risk is that regulators cannot match the speed at which technology evolves. Taking the example of AI chatbot ChatGPT, Alexandre says that “one of the biggest issues we might be facing is the amount of data that will be exchanged.” There are a lot of questions about the kind of data stored, the location where that data is stored, how do you regulate this. Technology changes at such a fast pace, that “by the time you have a law, it is already outdated,” says Alexandre.
The evolution of regulation mass “really depends on who we elect at the EU level,” says Alexandre. “It’s really a matter of policies. There’s not a miracle cure, of course.”
But DLA Piper remains adamant that companies should not let the regulatory inflation stop them in their tracks. “Companies should continue to innovate and have ambitious projects but they should get legal advice,” advises Reisch. “You need to involve the right professionals from the very beginning,” because it will be cheaper to develop a product that is already compliant rather than launch a product into the landscape that will later need to be fixed.
How the world of data protection will evolve remains difficult to predict, when consumers become more aware of their own rights and technology absorbs more data for its own development.