The General Data Protection Regulation (GDPR) is widely touted as the greatest shift in data privacy regulation of the century—with protections of users’ rights in commercial use, as well as cross-border transfers, the GDPR establishes fundamental freedoms within digital spaces and codifies the rights of users across the European Union (EU). When the GDPR was introduced, the EU had high expectations of changing practices in relation to data collection, processing and transfer. Despite examples of penalties and fines being imposed on businesses, three years after the GDPR entered into force, the question remains: Has GDPR enforcement (or lack thereof) changed the way cross-border contracting is carried out? This article describes the EU’s initial plans for enforcement under the GDPR, discusses actual instances of enforcement over its three years of existence, and queries whether anything about the GDPR has changed cross-border contracting practices.
Since inception, EU supervisory authorities have levied approximately 1,034 fines and 1.6 billion Euro in penalties for violations under the GDPR. Nonetheless, since 2021, authorities appear to have ramped up enforcement. Between January and November 2021, DPAs filed 395 fines against companies, totaling over 1 billion Euro (eighty-one percent of all fines issued from the inception of the GDPR to November 2021) .
However, very few enforcement actions have addressed cross-border contracting. Companies engaging in cross-border contracting could interpret this lack of interest from regulatory bodies as a sign that things may carry on as they did before the GDPR came into effect. While corporations may have altered attitudes towards customer engagement and data processing based on the GDPR, there is little evidence of changes to nuanced practices associated with cross-border contracts. Businesses seem far more focused on compliance with requirements related to contracts with user than requirements for contractual relationships internationally. Similar enforcement trends in the narrowed context of Chapter V protections against improper and unjustifiable cross-border data tranfsers remain to be seen.
Published in The Year in Review: An Annual Publication of the ABA International Law Section (vol 56 ABA/ILS YIR 67-72 (2022)). The article was written by Ali Strongwater (JD ‘23) and Izak Rosenfeld (Associate General Counsel, Access Now) during Ali’s externship at Access Now in Fall 2021.
