GDPR enforcement varies widely by country

According to the European Data Protection Board (EDPB), the body that reviews and provides guidance about how the GDPR should be applied across the European Union, there have been 281,088 cases logged by the various supervisory authorities in the first year of the GDPR’s application. Of these, 144,376 related to consumer complaints and 89,271 related to data breach notifications by data controllers. The Netherlands, Germany, and the United Kingdom have reported the largest number of breaches, respectively; Liechtenstein, Iceland, and Cyprus have reported the lowest.

The three areas that have been subject to the most consumer complaints are telemarketing, promotional emails, and CCTV/video surveillance.

Yet, according to law firm DLA Piper’s “GDPR Data Breach survey” released in February, just 91 GDPR fines had been handed out across the European Economic Area within the first eight months of the GDPR coming into force. That figure has now risen—but not by much, say experts. The EDPB’s February 2019 report to the European Parliament indicated 11 countries had imposed GDPR fines totaling approximately €56 million (U.S. $63 million)—including the €50 million (U.S. $56.3 million) levied against Google by France’s CNIL.

Most EU countries have now issued fines under the GDPR (those that have not are Belgium, Ireland, Czech Republic, Denmark, Finland, Italy, Slovakia, Slovenia, Spain, and Sweden). For the most part, the quantum to date has been in keeping with the old regime, meaning relatively modest penalties. Leaving aside headline cases, up until this February the average fine levied was around €66,000 (U.S. $74,000).

Determining which countries are the toughest enforcers depends on one’s viewpoint. Before last week, the United Kingdom hadn’t issued a single fine; now it’s in pole position with a penalty tally over four times more than the rest of Europe put together. A lot depends on the approach of each supervisory authority. Many have preferred to educate and cooperate, rather than punish, using the GDPR’s first year as a grace period to promote compliance (Belgium, Cyprus, and Latvia are some examples).

Some, like Austria, have decided to target general, low-level abuses that could apply to a wider range of organizations, rather than aim for big tech firms as a priority. For example, in September 2018, the Austrian supervisory authority, the DSB, fined a sports betting café €5,280 (U.S. $5,900) for installing a CCTV camera that recorded passers-by, in contravention of the GDPR’s ban on large-scale monitoring of public spaces.

Some of the more severe penalties to date have focused on technology misuse at one end of the spectrum and general data sloppiness at the other. For example, the national soccer league in Spain, LaLiga, was fined €250,000 (U.S. $280,000) for offering an app which—without their knowledge or consent—accessed the microphones of users’ mobile phones for the purpose of detecting whether pubs that were screening soccer matches had actually paid a fee to do so.

Meanwhile, a Portuguese hospital was fined €400,000 (U.S. $449,000) after an investigation revealed the hospital’s staff, psychologists, dieticians, and other professionals had unlimited access to patient data through false profiles. A subsequent audit carried out revealed the hospital had 985 registered doctor profiles despite only having 296 doctors.

Germany’s 16 data supervisory authorities have been the most proactive enforcers, handing out a total of 75 fines since the GDPR was implemented. The first was in November 2018, when the LfDI Baden-Württemberg fined the social media platform Knuddels €20,000 (U.S. $22,000) for storing passwords in plaintext, following a data breach in which approximately 330,000 users’ personal data was compromised. The highest German fine to date was also issued by the Baden-Württemberg authority: €80,000 (U.S. $90,000) to a healthcare organization that exposed sensitive personal data.

Hungary, meanwhile, has handed out the largest fine in respect to proportion of an organization’s turnover. The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) issued a HUF 30,000,000 fine (U.S. $103,000) to the organizers of the Sziget multicultural music and arts festival over their security procedures, which involved photocopying IDs of hundreds of thousands of festival-goers and taking photos at the entry gate. The penalty represented 2.3 percent of the company’s net revenue.

While the Netherlands has issued very few fines, it has dealt out one very sizeable, high-profile one. Last November, the Dutch Data Protection Authority hit taxi-app firm Uber with a €600,000 (U.S. $673,000) penalty for “violating the Dutch data breach regulation” by failing to inform the regulator within 72 hours of discovery that it had suffered an unauthorized breach that affected 57 million Uber users worldwide (of which 174,000 were Dutch citizens). It also came to light that Uber had paid the attackers $100,000 to destroy the data, which included the names, e-mail addresses, and telephone numbers of customers and drivers they had downloaded.

Karen Holden, founder of London legal practice A City Law Firm, says GDPR regulators have generally set out several conditions that are considered when issuing fines, such as the nature of the infringement (external hack, negligence, or both); what type of data was compromised; what actions were taken following the incident; and how cooperative the company was with regulatory and authoritative entities.

“It is clear that each case is judged on its own merits and is very much dependent on the facts of each case,” says Holden. “In the case of Knuddels in Germany, for example, the company was spared a much harsher penalty due to its effective strategy in responding to and dealing with the data breach,” she says.