GDPR Enforcement - The Experience So Far

Privacy & Cybersecurity Newsletter
August 2019

In 2018, GDPR compliance was a main focus for many organisations around the world. GDPR enforcement is likely to continue to grab the headlines in 2019 and beyond.

At the end of January, the EU Commission reported that over 95,000 data protection complaints had been filed with data protection authorities in the first eight months of GDPR. During that same period, organisations self-notified over 40,000 personal data breaches, a massive increase compared to the pre-GDPR figures.

As is probably well known by now, the penalties for breaching the GDPR, which apply to any organisation with an establishment within the EU or which markets to or monitors individuals in the EU from outside it, can be enormous. The maximum being a fine of €20 million and 4% of world-wide group turnover, whichever is higher.

Enforcement Action - Penalties
Inevitably there is a material time-lag between the GDPR having come into force, complaints having been made and investigated and penalties issued to organisations. Indeed, since GDPR, most of the penalties which have been issued by authorities have been under the previous law, such as the UK ICO’s record fine of £500,000 issued to Facebook in October for data protection breaches which took place between 2007 and 2014.

Owing to this time-lag, the first GDPR penalties have only recently started to emerge. The first major penalty was issued by the Portuguese DPA, which fined a hospital €400,000 for breaching the GDPR’s data security requirements. The German DPA followed closely, issuing a fine of €20,000 for a similar breach – the significant difference being the level of co-operation between the organisation and the authority.

A recent report calculated total GDPR fines at around €239 million to date. The French Authority, CNIL imposed €50 million fine on Google LLC, resulting from a finding that Google had breached GDPR by providing insufficient transparency and inadequate information as to its data processing, and not obtaining valid consent regarding personalized advertising. In July, British Airways and Marriott were notified of potential fines following security breaches. Click here for more.

CNIL levied the fine against Google despite recognition of Google’s efforts to put appropriate policies and notices in place – this was not a case of Google ignoring GDPR, but rather of CNIL finding that Google’s compliance steps were insufficient. Google has not accepted this and has appealed.

GDPR fines must be proportionate, so it is worth looking at why CNIL imposed such a large penalty. It considered that Google had violated some of the basic data protection principles; that the violations were continued and, given the massive and intrusive collection of personal data, that they were severe. In addition, Google’s model is based on the value of users’ personal data from which it obtains benefit and it occupies an important position on the operating system market.

Looking Forward
With limited experience of GDPR enforcement so far, we remain at the early stages. The issues to be monitored going forward include:

  • How strictly data protection authorities will interpret the GDPR’s provisions where there are grey areas?
  • What types of non-compliance will be regarded as most serious?
  • How much will a business’s good faith efforts to comply be taken into consideration in assessing penalties?
  • How large will fines be?
  • Will there be a consistent approach across data-protection authorities in different EU countries?
  • Will data subjects bring private claims for compensation, as opposed to complaints to the authorities?