Privacy Rights: GDPR Enforcement Celebrates Third BirthdayRegulators Increasingly 'Asking the Right Questions' After a Breach, Expert Says
Where were you on May 25, 2018? That was the day the EU's General Data Protection Regulation went into full effect.
Three years later, the global privacy discussion and surrounding expectations have evolved, thanks in no small part to GDPR. The regulation has made it clear that Europeans have a right to have their data protected and only used in a manner for which they approve. Individuals must also be given on-demand access to data that organizations store on them, and many businesses must now employ a data protection officer.
Data minimization is another requirement: Any organization that collects or processes Europeans' personal data must collect only as much as they need - and are allowed - and delete the data in a timely manner.
"While not wishing to weaponize GDPR, it should be remembered that the right to data protection is an enshrined right - see Article 8 of the Charter of Fundamental Rights - and to that end awareness is key," tweets Ronan Lupton, a practicing Irish barrister who also serves as the chair of ALTO - the Alternative Telecom Operators Lobby Group.
Here's Article 8 - look at 8(2), it says it all really. Also, love your DPO: pic.twitter.com/UHRlzFRnZs— Ronan Lupton (@ronanlupton) May 25, 2021
Organizations that fail to take individuals' rights seriously or fail to protect their personal information - whether or not a breach occurs - can face GDPR penalties, especially if they fail to notify authorities within 72 hours of discovering a breach.
Failure to comply with any aspect of the regulation can lead to fines of up to 20 million euros ($24.5 million) or 4% of the organization's annual global revenue - whichever is greater. Violators can also be stripped of their ability to process people's personal data.
As of January, the law firm DLA Piper estimated that privacy regulators in Europe had imposed fines totaling more than $330 million since GDPR went into full effect.
3 Biggest GDPR Fines to Date
The three highest GDPR fines levied to date have been against:
- Google: In January 2019, France's privacy regulator, CNIL, hit Google with a penalty of 50 million euros ($61.3 million) for failing to clearly and transparently inform users about how it handles their personal data and for failing to properly obtain their consent for personalized ads.
- H&M: In October 2020, privacy regulators in Hamburg, Germany, imposed on Swedish clothing retailer H&M a fine of 35.2 million euros ($43.1 million) for improper workplace surveillance practices.
- Italian Telecom: In January 2020, Italy's data protection authority, the Garante, imposed a fine of 27.8 million euros ($34.1 million) on telecommunications operator Italian Telecom for multiple offenses, including retaining personal data for an unreasonable length of time and running noncompliant and overly aggressive marketing campaigns.
"There have been more than 782 fines to date; it's hard to get the exact number because there's still a lack of transparency among some data protection authorities," says Jonathan Armstrong, a partner at U.K. law firm Cordery. "Fines aren't just for security issues. Fines have been levied for transparency and fairness too, including the H&M fine."
Armstrong adds: "Some countries like Spain, and to a lesser extent Romania, are concentrating on many, lower fines. Other countries like France, for example, and some of the German DPAs, they're concentrating on fewer, larger fines. So there's a clear difference in approach amongst enforcement, but it's certainly on the up in most countries."
Regulators: 'Asking the Right Questions'
But many legal and privacy professionals say: Don't just look at GDPR fines, but instead look at how the regulation has increased the focus on, and expectations around, privacy and data protection.
"Regulators are being much more persistent. In my view, they're better at asking the right questions after a data breach, and even if you eventually end up with no publicity and no fine, that you're still being made to put more effort in to persuade a regulator that you've done the right thing," Armstrong says.
Another common refrain: Like any law, GDPR isn't perfect, and how it gets applied continues to evolve. Indeed, many privacy experts say that working out the growing pains will take at least several more years.
GDPR was adopted in April 2016 and full enforcement began in 2018, but EU member states' data protection authorities continue to refine their approaches.
How DPAs impose penalties continues to evolve, as shown in the adjustments of the final, much lower, fines seen last year in cases in the U.K. and Germany.
While the U.K. is no longer part of the EU, last year, the U.K. Information Commissioner's Office was allowed to complete two long-running investigations it was leading into breaches of Europeans' personal data at British Airways and Marriott.
In July 2019, the ICO issued notices of intent to fine British Airways 184 million pounds ($261 million) and Marriott 99 million pounds ($141 million). But in an apparent case of GDPR enforcement realpolitik, last November, the ICO announced final fines that were much lower: 20 million pounds ($28 million) for British Airways and 18.4 million pounds ($26 million) for Marriott.
The regulator said the massive reductions in fines took into account the hardship posed by the coronavirus pandemic on both industries. Legal experts say the final amounts were also designed to withstand any appeals court challenges.
That's a reminder that any organization on the receiving end of a GDPR fine has the right to appeal it in court.
Last November, for example, a German appeals court slashed by 90% the $11 million GDPR fine that had been levied against 1&1 Telecom by the nation's federal privacy watchdog over call center data protection shortcomings.
How GDPR Enforcement Might Evolve
Obviously, seeing proposed or levied fines get regularly slashed by 90% isn't a good look, since everyone will expect that discount.
"With an eagerness to set high baselines for fines, the risk of creating a body of precedent for write-downs on appeal gets created," says Daragh O Brien, managing director of Castlebridge, an information management consultancy based in Ireland. "You also completely remove any scope for escalation of penalty for recidivist offenders. As any parent knows, the worst thing you can do is go to the maximum penalty for the misbehavior of your kid. … You are left with no fallback if they don't cop themselves on [aka wise up]."
O Brien says one potential solution would be to issue moderate, focused and fixed fines - akin to parking tickets - "for black-and-white breaches of GDPR," such as when an organization fails to complete a data protection impact assessment to identify and minimize the data protection risks of a project.
A fined data controller could still appeal their fine in court, just like a parking ticket. "But smaller penalties, levied frequently but with certainty that they would happen, would be cumulative in their effect," he says. "This could be more meaningful, effective and dissuasive than huge, headline-grabbing fines which will, inevitably, be appealed and potentially reduced by up to 90%."
As GDPR grows older, that's just one of the ways in which the pioneering EU regulation might continue to evolve.