GDPR fines are becoming more common. European Authorities are now showing their teeth with new research from global law firm DLA Piper, showing what MEF has been telling its members for a while: the first year or after implementation was a ‘free pass’ a learning period for the industry and regulators, but the regulators are now becoming much more active.
MEF predicted for 2020 much more scrutiny on data treatment and security in Europe, and we expect more of that in 2021.
The report from DLA Piper is available to download here, and shows some very interesting trends. Here is a quick review of some of the top insights.
- A total of €272 million was levied by European data protection authorities in fines since the introduction of GDPR in May 2018
- €159m were charged in 2020 – a 40% increase over the first 20 months since its launch
- Italy and Germany show the most active regulators/breaches (over half of the penalties were charged here)
MEF has long championed the need to put the consumer at the centre of this flow of information, allowing the exchange of even more data, but with the clear and conscious consent from the users. A new model of data is possible, and members of our Personal Data Workgroup are working to describe this transformation.”
- The largest GDPR fine was issued against Google for €50 million by CNIL, the French data protection authority. Google was found to not be transparent on how data was used and that it did not establish a lawful process for personalising advertisements.
- The third-largest GDPR fine was for a telecom player (after Google in first place, and a German retailer in second place). TIM, the Italian telecom operator was charged €28m in January 2020 for a number of breaches of GDPR for its telemarketing approach. This is the area where many telecom players have failed to implement guidance properly. The problems included transparency obligations, failing to have a sufficient legal basis for processing personal data, inadequate technical and organisational measures and breach of the principle of privacy by design. The data was not stored safely, partners were behaving badly – and hundreds of users complained to the Italian Authority. Some of the 30 million phone numbers in the databased were called by the partners 155 times during a single month.
- The highest number of notifications was found in Germany and the Netherlands: these were mostly data breaches (personal data lost to cyber-attacks). Security of personal data remains loose in many instances with limited care or simple operational negligence.
- Appeals against data protections agencies seem to work well. The Austrian supervisory authority saw its €18m fine imposed on Austrian Post overturned by the Austrian Federal Court on 2 December 2020. Similarly, the two fines issued by the ICO in the UK were reduced from £ 189.39m to £20m (a 90% reduction) and from £99m to 18.4m (80% reduction). The ICO noted that the discount was in part associated with the financial hardship caused by COVID-19. Nevertheless, it seems that it pays to appeal and to challenges the proposed regulatory sanctions
- There are many open legal questions, including whether fines should be assessed against the global consolidated revenue or the local organisation being fined. We expressed this at MEF many times: GDPR is a robust work on the principles of regulating personal data, but there is much that needs fine tuning. Enterprises, professionals and regulators should all take part in this debate now. As the GDPR matures and becomes stricter its enforcement should equally develop and settle.
- One notable omission from the list of infringements is the breach of the Articles in Chapter V GDPR relating to the transfer of personal data to third countries and international organisations. It is likely to take a while for the ramifications of the recent Schrems II judgment of the EU Court of Justice to filter through to enforcement. There is still a large amount of work to understand taking data from EU/UK to other territories. The immediate impact might be that many companies just stop moving data outside of Europe altogether.
The message is clear, GDPR was more than a simple checklist of activities to be done in 2018. It is a new way to think, plan and manage personal data. Those companies that fail to appreciate this difference will suffer the consequences.