On the eve of the Data Protection Day in Europe, the European Commission released a statement on the status of the EU’s General Data Protection Regulation (GDPR) which came into force on 25th May 2018. In its statement, the Commission stressed the importance of the GDPR considering recent large-scale data breaches, and the positive effect the law has had in raising awareness on data protection and rights available to data subjects. Along with the joint statement, the Commission released an information-graph, tracking the GDPR developments which include complying with the rules, enforcing the rules and awareness of the rules over the past eight months. The key statistics in the graph include:

  • National Data Protection Authorities (DPAs) across the EU received more than 95,000 complaints from citizens since May 2018;
  • The most common types of complaints reported to the DPAs are relating to telemarketing, promotional emails and video surveillance/CCTV;
  • Forty thousand (40,000) data breach notifications reported to DPAs across the EU;
  • Two hundred and fifty-five (255) ongoing investigations by DPAs of cross-border GDPR violations;
  • Three fines issued by DPAs for GDPR violations– the largest fine imposed was on the Google in the sum of €50,000,000 for lack of consent to processing personal data.

The information-graph also finds a mention that although the GDPR is a regulation which makes it directly binding and applicable on all EU member states, there are still areas within the regulation that require EU member states to supplement the GDPR with local legislation. Whilst 23 member states, including Malta, have adopted the required national legislation 5 are still in process of doing so.

In 2018 the GDPR received a lot of attention to the extent that even some celebrities had to stand in its shadow. During the peak month of May 2018 GDPR was searched more on Google than American superstars Beyoncé and Kim Kardashian.


Investigations into potential contraventions of the GDPR can be initiated by a Supervisory Authority or triggered by a data subject complaint. Sanctions for breaches range from reprimands to fines. However, depending on the sensitivity of the data, the nature of the infringement, the risk of harm to the data subjects, and the egregiousness of the breach, the fines can be significant up to 4 % of the annual of a business, if there is a serious infringement. In addition, the GDPR permits data subjects certain legal recourse for processing violations regarding their rights. These include the right to bring a private cause of action for material or non-material damages resulting from a contravention or the right to pursue “collective actions,” which are like US class actions.

The GDPR has brought new and enhanced privacy and security obligations for organizations around the globe, including U.S.-based companies. Compliance with GDPR is mandatory and as of December 2018, more than 50% of regulated organizations are still not fully GDPR compliant.

More statistics and case law related to GDPR, particularly those coming from Malta, will be made available during the GDPR One Year Conference to be held on the 5th June, 2019.

Source: European Commission