The headlines in recent years have been littered with news of corporate scandals and data mismanagement. Regulators have responded with varying degrees of fines and an increasingly complicated regulatory environment. Despite this uptick in regulation and enforcement, the behavior of the world’s most powerful companies has not appeared to change in any significant way. Wells Fargo provides a notable example. In late 2016, after the Consumer Financial Protection Bureau (“CFPB”) fined the company $185 million, headlines surfaced showing that the bank had engaged in the practice of creating fake customer accounts to inflate cross-selling of its products. The CFPB fine, coupled with additional penalties from various regulators resulting in a $575 million settlement, is unlikely to have a large impact on the firm, which earned over $22 billion in 2018. Although regulators are increasingly able to take steps to penalize companies engaging in reckless or fraudulent activity, the signs show that arguably the most prominent effect of such penalties is management turnover and alleged cultural changes. The concern is whether the cultural changes are sincere despite the profits reaped in the face of fines. The world’s most powerful corporations are not above the law, but, in an environment where the most important metric of success is the bottom line, such entities may be indifferent to it.[1]
GDPR: One year in
In the realm of data security, though, the road ahead looks more promising. Since the European Union’s (the “EU”) General Data Protection Regulation (the “GDPR”) came into effect last May, major corporations have been forced to register for processing data in the EU. Ireland has emerged as the EU’s primary data overseer and an example of how government regulators can effectively leverage new laws to create corporate change. Policing under the GDPR falls to the country’s Data Protection Commission (“DPC”), which can originate investigations on its own or upon receiving complaints. Since the GDPR came into effect, there have been €56,000,000 ($62,527,964) in total fines, over 500,000 data protection officers appointed, over 200,000 cases received by data protection authorities, approximately 100,000 individual complaints filed, and over 64,000 data breach notifications received. The numbers are hard to ignore, and companies, including U.S. tech giants Facebook, Google, Microsoft, Apple, Twitter, LinkedIn and Dropbox, have responded by making policies clearer and ensuring that users are aware of privacy settings. Many companies have engaged in wholesale changes in culture and data protection, although some regulators note that other companies merely undergo a formal “box-ticking” exercise with little resulting change in culture. That said, given the numbers after only one year, the future of corporate compliance under the GDPR looks bright.
[1] Facebook serves as another prominent example. With annual revenue of approximately $56 billion last year, even the potential of a $5 billion fine as a result of the Cambridge Analytica scandal appears to be rather lenient.