GDPR Fines Up 40% Last Year

By Robert Bateman

Penalties for breaching EU data-protection laws have increased by nearly 40% over the past 12 months, suggesting that the bloc is taking a tougher stance on privacy violations within its borders. 

But some experts told Digital Privacy News that the EU had some way to go before Europeans’ rights were protected adequately.

“Much of the talk before the General Data Protection Regulation (GDPR) took effect was about a penalty regime that allowed regulators to issue fines in the millions — and, in some cases, billions — of euros,” said Edward Machin, privacy and cybersecurity lawyer at Ropes and Gray in London.

“Those expecting large penalties straight out of the gate were disappointed, however, and the first 18 months of the GDPR’s life largely passed without event.

“Fast-forward another 18 months, and we’re seeing multimillion euro fines being issued on a regular basis — and that pace is likely to continue through 2021 and beyond,” Machin said.

Fines Up $193.4 Million

A report from the global law firm DLA Piper revealed that fines issued under GDPR increased by $193.4 million in the 12 months leading up to Jan. 27.

This represents a 39% increase in the total fines since the law took effect on May 25, 2018.

Machin noted that, along with steeper fines, the regulation was being enforced against a broader swath of offenses.

“Fines are also being issued in relation to an increasingly wide range of issues: from failure to notify breaches within the 72-hour deadline and illegal data-sharing practices — to ignoring subjects’ rights requests, excessive employee monitoring, and more,” he explained.

“The first 18 months of the GDPR’s life largely passed without event.”

Edward Machin, Ropes and Gray law firm.

“Coupled with a growing claimant bar and privacy-interest groups that are filing actions directly against organizations — as well as bringing noncompliance to the attention of regulators — the first 18 months of limited GDPR enforcement now very much look like the calm before the storm,” Machin observed.

Some Disagreement

But not all observers agreed that EU authorities were toughening their stances.

Romain Robert, a data-protection lawyer at Austrian privacy campaign group, European Center for Digital Rights: NOYB (None of Your Business), said that the EU was failing to give effect to its privacy laws.

“The mere existence of NOYB is due to the lack of enforcement of data-protection law,” Robert told Digital Privacy News.

“The number of fines is a logical consequence of the entry into force of the GDPR.

“The cases and the complaints are now leading to sanctions,” he said. “However, this is only noted with some data-protection authorities.”

Robert pointed to significant discrepancies between the enforcement activities of the EU’s regulators.

Differences Abound

Luxembourg’s data-protection authority, he noted, has yet to take any GDPR enforcement action.

On Jan. 25, NOYB filed an appeal of two decisions that the Luxembourg regulator refused to take action against.They involved two U.S. marketing-analytics companies, Apollo and RocketReach, which had violated EU law.

The Irish Data Protection Commission — which takes lead responsibility for tech giants Facebook, Google, Apple and Instagram — so far has only issued one fine against a big tech firm: Twitter, which received a $617,000 penalty in December.

Robert noted, however, that some regulators were more active, including those in Italy, France, and Spain.

The Italian data-protection authority has issued the highest amount of fines since GDPR took effect, totaling around $84.1 million.

“The mere existence of NOYB is due to the lack of enforcement of data-protection law.”

Romain Robert, European Center for Digital Rights.

The French regulator’s $60.7 million penalty against Google, issued in January 2019, is the single highest fine imposed under the regulation.

Spain has imposed $17.3 million in GDPR fines since May 2018 — the fifth highest of all countries included in the report.

“Some data-protection authorities are definitively more active and issued more or higher fines,” Robert told Digital Privacy News, “but some are really behind the others in terms of enforcement.

“Basically, I cannot conclude that the enforcement of the GDPR is a success,” he added. “I really think it is almost a failure.”

Cautious Optimism

Federico Marengo, an independent data-protection consultant in Milan, was cautiously optimistic about the EU’s direction on data protection.

“If sanctions are to have teeth, violations must be punished,” Marengo told Digital Privacy News.

“I think that national DPAs are cracking down on data-protection breaches — and, as a consequence, my guess is that many more GDPR fines will be issued in the future,” he said.

Marengo suggested the public was driving greater enforcement.

“There is greater public awareness concerning the wrongful use of personal data by many companies, chiefly by large tech companies,” he said. “Hence, individuals started exercising data-protection rights more often.

“This increase in the public awareness also puts pressure on DPAs to enforce the GDPR, or at least to start proceedings against noncompliant companies.” 

“If sanctions are to have teeth, violations must be punished.”

Federico Marengo, data-protection consultant, Milan.

Marengo also pointed to the “quick reaction” of the Italian data-protection authority to investigate WhatsApp after it announced controversial changes to its privacy policy on Jan. 4.

“There are many challenges that data-protection authorities still face, mainly the lack of sufficient funding and how they will address international data transfers,” Marengo said. “But we have to remember that the GPDR is a game-changing regulatory scheme.

“While data-protection authorities are showing muscle and a greater willingness to enforce GDPR provisions,” he told Digital Privacy News, “companies are abandoning, however grudgingly, old data-management practices.”

Robert Bateman is a writer in Brighton, U.K.