Ever since the General Data Protection Regulation (GDPR) came into force over two years ago, it is fair to say some companies (and media outlets, for that matter) have focused more on the potential fine capabilities regulators have at their disposal than actual compliance with the legislation.
GDPR evolution on the agenda at Compliance Week’s European virtual conference
Graham Doyle, Deputy Commissioner with the Irish Data Protection Commission (pictured), will join data privacy advocate Eva Simon, a legal expert at campaigning group Liberties, for a discussion about the General Data Protection Regulation (GDPR) and what to expect as far as enforcement in tech-heavy Ireland during a keynote panel at Compliance Week’s virtual European conference on 11 November.
The fact that organizations can be hit with fines of up to €20 million (U.S. $23.5 million) or 4 percent of global turnover (whichever is greater) for failure to protect personal data is well known, and there is little doubt these are seriously punitive sanctions.
But relatively few truly huge fines have yet been meted out, and many experts are coming around to the fact that hitting a firm with the maximum penalty is unlikely to happen anytime soon. They also question whether the chances of any company changing its data policies on the back of a firm like Google or Twitter being hit with a 10-figure GDPR fine are realistic, as no one other than a technology giant would see itself in that same light.
Indeed, the Irish Data Protection Commission (DPC)—the European Union’s data regulator for the likes of Google, Apple, Twitter, and many others—has hinted that instead of issuing eye-watering fines, it is looking at using other “corrective actions” to get companies to toe the line on GDPR and commit to best (and legal) practices.
Such measures available to data protection authorities include issuing advice and guidance; warnings and reprimands; voluntary or mandatory audits; orders to comply with data subjects’ requests; and orders to rectify, erase, or restrict processing.
Perhaps the most relevant corrective power a supervisory authority has, particularly with regard to Big Tech and data firms, is the ability to impose a temporary or definitive limitation, including a ban on processing, and to order the suspension of data flows to a third country and/or an international organization.
“For companies that have data flows that traverse borders, limiting processing and data flows as a corrective power can be more effective than a fine,” says Viger Yang, senior consultant and data privacy specialist at financial services technology firm Citihub Digital. “In an increasingly connected world where personal data has no borders, this would be a showstopper for many.”
According to a European Commission document issued in June, some 13 EU/EEA (European Economic area) authorities have imposed limitations on processing, and 17 have issued orders to rectify, erase, or restrict processing.
“Without the ability to process and monetize data, companies may have no choice but to address their compliance gaps as the potential loss in revenue, inability to service customers, and resultant reputational damage may outweigh the cost of a fine itself,” says Yang. “If companies do not voluntarily address their practices, then it may become increasingly common to see companies relocate operations outside of the EU or rescind services to EU customers.”
Despite the tough sanctions at their disposal, regulators generally try to adopt a “carrot and stick” method, using fining powers “judiciously” alongside a more collaborative approach to effect behavioral change, says Camilla Winlo, director of data privacy consultancy DQM GRC.
Winlo believes massive fines will simply result in the offender spending more time and resources trying to appeal the penalty than actually complying with it, especially since Big Tech firms have very deep pockets compared to the bodies that are meant to keep them in check.
France’s data protection authority CNIL—which successfully handed Google its biggest GDPR-related fine to date of €50 million (U.S. $57 million, or less than 1 percent of the supposed maximum fine the regulator could have imposed)—has a budget of around €25 million (U.S. $29 million). The Irish DPC’s budget, though increased, is still just €19.1 million (U.S. $22.5 million). Luxembourg, which is responsible for regulating Amazon, had a budget of €5.7 million (U.S. $6.7 million) last year, which is roughly equivalent to what the online retailer chalks up in sales over 10 minutes. Accordingly, regulators can quickly see their resources get drained by a protracted fight with any company that has significant financial muscle.
“For companies that have data flows that traverse borders, limiting processing and data flows as a corrective power can be more effective than a fine. In an increasingly connected world where personal data has no borders, this would be a showstopper for many.”
Viger Yang, Senior Consultant and Data Privacy Specialist, Citihub Digital
Instead, the use of “soft power” and influence can be more effective in such situations, says Winlo. In the United Kingdom the Information Commissioner’s Office has stated a preference for working with organizations to improve compliance, for example, and imposing fines as a last resort. Winlo says such an approach results in “meaningful change.”
“Soft power is having visible effects as we are starting to see data protection compliance enforced via the data supply chain, starting with the tech giants,” she says.
In many cases data protection authorities are using their powers under Article 58 of the GDPR to force companies to take corrective actions in conjunction with their powers under Article 82 to levy administrative fines.
For example, in January the Italian data regulator required Telecom Italia to not only pay a €27.8 million (U.S. $32.7 million) fine for having an insufficient legal basis for some of its data processing activities, but imposed an additional 20 corrective measures on the company, including requirements to comply with the provisions of the GDPR and to prohibit the use of personal data for marketing activities without the appropriate consents.
That said, some experts believe fines still have a strong role to play in ensuring effective compliance.
Robert Lands, partner in the intellectual property and commercial practice of law firm Howard Kennedy, says that “changing practices to comply with rules does not get the attention of the board—large fines do.”
Alex Scheinman, managing director for cyber-security and risk at advisory firm ACA Compliance Group, says, “A shift in the regulatory focus away from administrative fines to corrective measures should only be based on empirical evidence that firms would be more likely to adopt behaviors that will promote compliance and safeguard individuals from harm.”
“In the absence of evidence to that effect, a more promising path forward would be for the supervisory authorities to apply a more consistent and transparent approach to the application of fines,” Scheinman adds.