A leading privacy campaigner who is behind the first European class-action complaints against tech giants Facebook and Google has criticised the penalties that can be meted out under the EU’s new data regulation and has slammed Europe’s historically poor record of enforcement over data privacy issues.

Max Schrems, founder of NOYB (“None of Your Business”)—European Centre for Digital Rights, believes that the level of fines available to national data protection authorities under the EU’s newly enacted General Data Protection Regulation (GDPR) are so high that they will simply force companies to contest the complaint and any penalty rather than accept any wrongdoing, thereby stalling judgments.

Under GDPR, national data regulators can issue fines of up to €20 million (U.S. $23 million), or up to 4 percent of annual global revenues—whichever is greater. Yet Schrems is unsure whether such strong fines are an appropriate deterrent and believes that “€100,000 [(U.S. $114,170)] would have been sufficient for most companies.”

“I was actually pretty unhappy about the €20 million as a general price tag,” said Schrems, speaking at Compliance Week’s European conference in Amsterdam in November. He dismissed the €20 million figure as “a populist big number that you can just put out in the newspaper.”

In front of an audience of more than 200 compliance professionals and other attendees, Schrems also suggested that the top-line fine of 4 percent of global turnover may not be quite the sizeable fine that it appears to be.

“If you’re really big and data’s your main business, a case like that usually takes 5 to 10 years to resolve [and the fine] is only 4 percent of your annual turnover anyway,” said Schrems. Consequently, he said, it may be a “worthwhile investment” for data companies to continue as they are and legally challenge data regulators’ complaints and investigations for years. That way, he said, they can continue to generate massive revenues before they are required to change their practices.

“Certain DPAs are being—at least in public—very bold and are saying, ‘We’re now going to use these powers as well,’ while others have already said, ‘We’re more or less going to continue to help companies.’ So that’s going to be interesting to see how the culture changes.”

Max Schrems, Founder, NOYB

“So I wonder if, for these guys, the 4 percent [penalty] is even sufficient,” he said.

Schrems believes that data protection in Europe has been let down in the past by lax enforcement. The “big criticism,” he said, is that while “we walk around and say we’re the biggest privacy protectors the world has ever seen … the bottom line is that … there are all these fundamental rights and privacy law in Europe, but if you don’t really comply, nothing is ever going to happen anyway.”

Referring to the previous EU data protection directive, Schrems said: “The reality is we had a nice law, but no one ever enforced it in practice,” adding that “financially, it made more sense for most companies to just totally ignore it than follow the law” because the cost of compliance was disproportionately larger than any penalty. In Austria, for example, the maximum fine for a data breach under its data protection laws was just €25,000 (U.S. $28,000): Compare that to the £500,000 (U.S. $639,000) maximum that Facebook received in October from the U.K.’s Information Commissioner’s Office.

Despite the fact that the GDPR—as well as the European Data Protection Board, which is meant to oversee how national data protection authorities implement the new rules—are supposed to ensure uniformity, however, Schrems thinks that the level of enforcement on privacy issues may continue to be uneven throughout the European Union. 

He also thinks there are likely to be differences in the approach and “culture” that national regulators take. For example, he says, some national data protection authorities will try to help companies comply, “which, in practice, we don’t do in most other fields, because we know that their actions are massive violations of the law,” while others will simply fine them—possibly taking on smaller companies (the “low-hanging fruit,” as he referred to them) first. Some may also be keener than others to try out the extensive powers that the GDPR provides them with.

According to Schrems, when he brought his first complaints against Facebook to the Irish Data Protection Authority in 2011, the Authority’s office was based in a small town outside of Dublin and was situated above a supermarket. It had a staff of just 20 people—none of whom was a lawyer or a trained technical expert. With the onset of GDPR, however, the regulator now has a staff of more than 100 people and has in-house legal and technical experts.

“It’s going to be interesting because certain data protection authorities now have, for the first time, serious power to enforce stuff or to raid a company and really say, ‘We want to see what’s on your servers,’ ” said Schrems.

“Certain DPAs are being—at least in public—very bold and are saying, ‘We’re now going to use these powers as well,’ while others have already said, ‘We’re more or less going to continue to help companies.’ So that’s going to be interesting to see how the culture changes,” he added.

He declined, however, to predict which data regulators would be the most or least aggressive. “We don’t really have a ranking so far,” said Schrems, though he added that “we’re doing a mapping exercise to understand the possibilities of where to enforce stuff.”

Schrems’ NOYB is a non-profit organisation set up to champion consumer rights and launch “strategic” court cases under GDPR, the proposed EU ePrivacy directive, and on privacy issues in general, so he has an interest in checking the enforcement records of EU members.

Under Article 80 of the GDPR (which refers to representation of data subjects), not-for-profit organisations can make class-action-style compensation claims for consumers if the case is in the public interest. On 25 May, when the regulation came into force, Schrems filed the first complaints using GDPR against Google and Facebook over the way both companies coerced consumers into accepting their data policies to use their services. The companies could face combined penalties of up to €7 billion (U.S. $8 billion) under GDPR, but it is likely to be a lengthy—and expensive—process, he admits.

While data companies are likely to be key targets, Schrems believes that few other companies have woken up to the real threat that Article 80 may pose, as GDPR allows people to claim for “emotional damages”—a new concept for many EU jurisdictions, he says, and one that has a “price tag.”

“GDPR now foresees emotional damage in the sense of, ‘You lost a million data sets, these million people now have the emotional fear of the data somewhere in Russia.’ And there is going to be a price tag on that,” said Schrems.

“We don’t know the price tag, and it is going to be very different in member states. For example, Austria has very limited damages awards. But there are some member states that have much higher ones. The interesting thing is usually these cases are mass damages, so if you have a database with a million people, you have a million people that have a claim against you,” he added.

Schrems pointed out that in Canada, for example, a single privacy violation can cost a company up to €20,000 (U.S. $23,000) in damages. “If you multiply that by a million people, then you get price tags that go way beyond the €20 million in damages and penalties,” said Schrems. And while regulatory penalties can be lowered if companies can prove they had measures, protocols, and procedures to mitigate risks of a breach, for example, damages awards do not.

“Damages are calculated on the damage you did. It doesn’t matter if you tried to comply with the law or totally ignored it—the damage is the same,” warned Schrems.