It has been almost a year since the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 came into effect on May 25, 2018, and we are starting to see the first emerging patterns of GDPR enforcement.
The Directive was adopted in April 2016; however, regulators in some of the EU jurisdictions were not ready when the time arrived. This probably explains the delay in actual enforcement actions.
Still, even from the relatively few GDPR enforcement actions so far, there are some valuable takeaways. Let’s look at the four major cases that have come from different EU Member states:
Google. The French Data Regulator (CNIL) fined Google €50 million ($56 million) for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.” The regulator deemed that Google had not sufficiently informed users about how they were collecting personal data in order to use this in line with personalized advertising (Article 12(1)). It was deemed by the watchdog that individuals were not able to access all the information regarding Google’s processing operations in a clear format, which led to the failure to obtain a clear and informed consent (Article 7). As long as the consent was not validly obtained, the regulator deemed that Google failed to have a valid legal basis to process individuals’ data (Article 6 (1)(a)). So far this is the biggest GDPR fine yet to be issued by a European regulator.
Centro Hospitalar Barreiro Montijo. The Portuguese Data Protection Authority or DPA (CNPD) fined Centro Hospitalar Barreiro Montijo €400,000 ($449,000) for three violations of GDPR. The regulator found that the hospital’ s account management practices were deficient because there were 985 active accounts for doctors even though only 296 doctors actually worked at the hospital, and any doctor had access to all patient files, regardless of the doctor’ s specialty. The watchdog deemed this to be a violation of the basic principles of personal data processing, namely “data minimization” principle (Article 5 (1)(c)) and “integrity and confidentiality” principle (Article 5(1)(f)). Together with that, the regulator decided that the hospital violated the obligation to implement adequate security measures to ensure the security of the processing (Article 32). Interestingly, this fine didn’t even involve an external data breach.
Knuddels.de. The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) in Germany imposed a fine of €20,000 ($22,500) on a social media company Knuddels.de following a hacking attack that resulted in the unauthorized disclosure of about 808,000 user email addresses and passwords. As part of the data breach notification, the company disclosed that the users’ passwords were stored in an unencrypted form. The regulator deemed that the company thereby infringed its obligation to guarantee the security of personal data (Article 32 (1)(a)). The watchdog explained a relatively modest amount of fine by the company’s “exemplary cooperation” and the significant improvement of its level of IT security in the aftermath of the hack and investigation.
Unnamed Limited Liability Company. The Austrian DPA (DSB) imposed a fine of €4,800 ($5,400) on an unnamed Limited Liability Company which runs a sports betting café for installing a CCTV camera that covered public street and parking lots. The regulator deemed that the company violated basic principles of personal data processing, namely “lawfulness, fairness and transparency” (Article 5 (1)(a)) and “data minimization” principle (Article 5 (1)(c)). Moreover, the watchdog deemed that the company failed to have a valid legal basis to process an individual’s data (Article 6 (1)(a)).
Although there have been few actual enforcement actions since the start of GDPR, there have been thousands of complaints made to the national Data Protection Authorities since May 25, 2018:
- The UK DPA received 6,281 complaints between May 25, 2018 and July 3, 2018, a 160 percent rise on the same period in 2017.
- In the first five months after GDPR’s entry into effect, there were 6,555 complaints to Data Protection Authorities in Germany, 2,547 complaints in Italy, and 3,767 complaints in France
- There were 1,831 data breach notifications submitted to Polish Data Protection Authorities by businesses or other organizations.
- Multiple GDPR-related cases sit with the European Court of Justice (ECJ) with a decision yet to be reached.
What then are the main takeaways from the enforcement cases and reporting statistics so far?
Only one enforcement action out of the four involved an actual external breach. That may indicate that GDPR enforcement will be less reactively punitive and more proactively preventive. The amounts of fines so far are quite modest and even nominal, which may confirm this enforcement pattern. Although the fine for Google may seem huge compared to the other cited cases, it is nominal for the organization of its size and revenues.
The Data Protection Authorities seem to be paying close attention to the lawfulness of data processing (Article 6) and whether the data controller actually has legitimate grounds to process individuals’ data. This consideration goes hand in hand with the violations of data processing principles, including lawfulness, fairness, and transparency, as well as data minimization.
Data Protection Authorities have received (and continue to receive) thousands of violation complaints and breach notifications. Clearly, when regulators increase their investigative capacity, the intensity of enforcement could increase dramatically.
Vera Cherepanova, FCCA, CIA, MSc (pictured above), has more than 10 years’ experience as a compliance officer. She’s the founder of Studio Etica, a boutique consultancy that provides advice on corporate ethics and compliance programs to companies around the world. She speaks English, French, Italian, and Russian. She can be contacted here.