The world’s most stringent privacy law, the European Union’s General Data Protection Regulation (GDPR), turned 2 years old on May 25. In those 24 months, the rules have put data privacy compliance on every board’s agenda and have given Big Tech notice that their activities—and revenue streams—are under review.
Yet while companies have made great efforts to comply with the regulation, many feel they still do not fully understand what it requires of them. Instead, many organizations are more acutely aware of the potential draconian punishments awaiting them if they mismanage data or fail to protect it properly.
Compliance Week takes a look at GDPR enforcement trends and efforts to standardize regulatory approaches so far and how lingering questions about compliance—as well as non-compliance—may be answered going forward.
1. Will enforcement even out across the European Union?
Some data experts describe 2019 as a “watershed year” for the GDPR. Google was hit with its first multimillion euro fine under the regulation, and British Airways and Marriott Hotels received notice from the U.K. Information Commissioner’s Office (ICO) that they are set to pay the colossal sums of £183 million (U.S. $238 million) and £99 million (U.S. $129 million), or figures close to them (though those fines are still yet to be official).
Certainly, regulatory activity in 2019 was higher than in 2018 as data protection authorities came to grips with complaint handling and ground on with their investigations. But, although fines and reported data breaches may have increased last year, commentators generally agree the penalties handed out under the GDPR have not been as harsh as they could have been—for instance, no company has been hit with the headline 4 percent of global turnover fine yet and few expect that to change in 2020. Furthermore, according to data from Privacy Affairs, while there has been a total of 273 GDPR fines imposed to date, totaling €153,525,487 (U.S. $169 million) in penalties, the levels have varied wildly: The single highest fine is still France’s €50 million (U.S. $55 million) penalty against Google from January 2019. The lowest fine, however, is just €90, or U.S. $99 (made against a Hungarian hospital). Many fines across the European Union are in the low hundreds of euros—hardly the scary prospect that many companies feared.
“The ambition of having one single GDPR law for the whole of EU is long way ahead.”
Bojana Bellamy, President, Centre for Information Policy Leadership
José Luis Piñar, counsel in the Madrid, Spain, office of law firm CMS and a former director of the Spanish Data Protection Agency, says an examination of EU enforcement records shows how varied regulatory approaches can be. For example, while Spain holds the record for the highest number of fines by far, the total amount charged for those penalties is lower than elsewhere in Europe. Similarly, notes information from GDPR Enforcement Tracker, while the Czech Republic and Italy have issued a similar number of fines each (13 and 11, respectively), the total sum is drastically different—some €32,175 (U.S. $35,387) compared to €39.4 million (U.S. $43.3 million). Several countries—Estonia, Finland, Liechtenstein, Luxembourg, and Slovenia—have yet to issue any GDPR fines.
At the start of the year there was hope there would be greater harmonization and standardization in the monitoring and enforcement approaches of Europe’s data regulators so that companies had greater clarity about data rules and regulators’ appetites to police them.
Lawyers and IT experts, however, generally agree that differences in approaches and interpretation among regulators will likely persist for the time being. “I fear that in the medium-term we will continue to see different approaches, pven disagreements between EU data protection regulators,” says Bojana Bellamy, president of the Centre for Information Policy Leadership, a global data privacy and cyber-security think tank. “Also, national courts will take different views, too, and we will end up with the Court of Justice of the EU [which interprets EU law to make sure it is applied in the same way in all EU countries] deliberating on many more data protection cases. The ambition of having one single GDPR law for the whole of EU is long way ahead,” she says.
Experts also agree the COVID-19 pandemic may have slowed progress toward harmonization, too, and that fines could be delayed while key investigations are stalled. For example, the ICO indicated in April it has delayed finalizing BA and Marriott’s fines and is prepared to give companies more leeway in the way they report and rectify any data breaches while the current worldwide health emergency continues. It also hinted at possible fine reductions given the poor financial state of some companies. Other EU data protection authorities have made similar measures. On May 7, the ICO went further and issued a statement that it would also pause its investigation into real-time bidding and the AdTech industry, saying it was not its intention to “put undue pressure on any industry at this time.”
In short, the ICO—one of the biggest and best-resourced data protection authorities in the European Union—tacitly admitted it cannot pursue investigations into what many IT experts and privacy campaigners say are major areas of personal data abuse.
“COVID-19 has changed the world,” says Robert Lands, partner and head of IP & commercial at law firm Howard Kennedy. “Regulators have not gone soft. The factor that is most likely to delay big fines is simply that the virus will make it difficult for supervisory authorities to complete their investigations.”
According to a report published earlier this month by Brave, a tech company that promotes a private browser to protect users’ data, half of the EU’s data protection authorities have annual budgets of under €5 million (U.S. $5.5 million). Three—Estonia, Malta, and Cyprus—have budgets of less than €1 million (U.S. $1.1 million). It also found that only six of Europe’s 28 national data protection authorities have more than 10 tech specialists (Germany, Spain, France, United Kingdom, Ireland, and Greece), while seven authorities have just two tech specialists (or less).
“COVID-19 has changed the world. Regulators have not gone soft. The factor that is most likely to delay big fines is simply that the virus will make it difficult for supervisory authorities to complete their investigations.”
Robert Lands, Partner & Head of IP & Commercial, Howard Kennedy
The report says the level of available funding impacts the quality of enforcement. As such, it calls for the European Commission to intervene by launching an infringement procedure against EU member states for failing to provide data protection authorities with adequate budgets—even referring them to the European Court of Justice, if necessary. It also said the European Data Protection Board (EDPB), the EU body charged with overseeing how member states oversee and enforce the GDPR, should develop an EU unit to assist national data protection authorities in tech investigations.
Some experts believe any relaxation in regulatory scrutiny could inadvertently act as a signal for companies to either ride roughshod over the rules or downgrade the importance of compliance.
“There is always a risk that delays in investigations and outcomes will cause complacency,” warns Jane Sarginson, a barrister at St Philips Chambers, while Camilla Winlo, director of data privacy consultancy DQM GRC, says, “There is clearly a danger that organizations facing tough times will interpret any sign that the regulator is relaxing their stance as a signal to reduce their focus on data protection.”
2. Will Ireland toughen up?
Ever since the GDPR came into force, all eyes have been on what early actions Ireland’s Data Protection Commission (IDPC) would take given that it is the EU regulator of choice for the world’s biggest technology firms, including Google, Apple, Twitter, Microsoft, and Facebook. And up until a week ago, the regulator seemingly had little to boast about.
But with impeccable timing, on May 22—just ahead of the regulation’s second anniversary—the IDPC handed Tusla, the country’s child and family agency, its second (as yet unspecified) GDPR fine just days after handing it Ireland’s first.
The IDPC also used the announcement to trumpet its progress in its efforts to take on Big Tech—a thorny issue with other EU data authorities (most notably Germany’s) and privacy campaigners, who have bemoaned its slow progress.
The regulator has submitted a draft decision to other EU data protection authorities regarding a self-reported GDPR breach by Twitter, as well as a preliminary draft decision concerning WhatsApp and the information it shares with Facebook. The IDPC also announced it has completed an investigation into Facebook over how it processes personal data, adding it is deciding what—if any—penalty it will recommend, and that it has sent draft inquiry reports following separate investigations into Instagram and WhatsApp. Additionally, it noted that an EU court judgment on the IDPC’s decision regarding privacy campaigner Max Schrems’ complaint against Facebook is due for release on July 16.
For Schrems, however, the IDPC announcement is too little, too late. On May 24 he sent an open letter to every EU data protection authority, the EDPB, the European Commission, and European Parliament criticizing Ireland’s slow progress, pointing out France’s CNIL was able to single-handedly issue a €50 million (U.S. $55 million) fine against Google within seven months, while after two years, the IDPC has completed only the first of six steps in the cases against Instagram and WhatsApp. He also questioned the IDPC’s appropriateness as a regulator. “The GDPR is only as strong as its weakest [data protection authority],” he said.
Ireland, with an annual budget of just €16.9 million (U.S. $19 million), is responsible for leading 127 GDPR-related investigations—more than any other country in Europe. Some 23 of these are investigations into Big Tech firms, with 11 relating to Facebook alone (seven relating to Facebook’s Irish subsidiary and one to the parent company, two to WhatsApp, and one to Instagram). None of these investigations have been completed yet; nor are they likely to be before autumn at the earliest, the IDPC admits.
Under the GDPR, multinational companies are meant to select the data protection authority they believe is the most pertinent regulator for them: For most companies, it is the regulator based in the same country where they have their European headquarters. Big Tech has overwhelmingly chosen Ireland. Under the GDPR—as part of its “one-stop shop” mechanism—the designated data regulator is meant to field all complaints against that company, even if they come from other member states: For example, a Spanish complaint against Twitter should be dealt with by the IDPC.
While Google has its European headquarters in Ireland, however, both of its GDPR fines have been handed down by other EU data protection authorities: France’s CNIL fined Google €50 million (U.S. $55 million) in January 2019, while the Swedish data protection authority fined it 75 million Swedish Kroner (U.S. $7.6 million) in March this year.
In the French case, EU data protection authorities decided that the case could be handled by the French data regulator since the Irish watchdog did not have “decision-making power” over Google’s Android operating system and its services. In the Swedish case, the regulator said it was enforcing corrective actions regarding delisting user data the company had failed to implement in 2017 before the GDPR had come into force. Precedents have therefore been set showing Big Tech (and other companies) can be hit by multiple regulators, and for possibly the same infringements, irrespective of where they might be based.
Expectations about the likelihood of Ireland hitting a Big Tech company with a fine equal to 4 percent of global turnover, which would produce the first billion-euro penalty, remain low. The country has a reputation for taking a “light touch” toward monitoring conduct or enforcing regulations, and of cozying up to big companies—evidenced by the Irish government’s highly generous tax treatment of Apple (allowing it a tax rate of 0.005 percent in 2014, compared to the standard 12.5 percent for every other company) and its reluctance to accept repayment.
Critics (and cynics) point out Ireland’s position as a major EU technology base has helped rescue its economy following the 2008 financial crisis and continues to do so now during the coronavirus pandemic. “A maximum turnover-based fine would be a bold move from the Irish regulator, especially when its government sought to create a welcoming European base for Big Tech,” says Daniel Milnes, a partner and information lawyer at Forbes Solicitors.
3. How will GDPR enforcement develop in the future?
Much of the focus of the GDPR’s first two years has been about the level of fines and the speed at which they are issued. But there is more to the regulation than just its punitive powers.
Data lawyers, privacy campaigners, and compliance professionals had hoped a slew of GDPR decisions that have been in the works for months would have produced much-sought-after clarity about what data practices are unacceptable and what internal measures may help to stave off the dreaded maximum penalty if an organization suffers a breach. The complexity of many of the cases, the sparse resources and staff numbers of many of the data protection authorities, and the impact of COVID-19, however, have held up progress. As such, experts hope that by the GDPR’s third anniversary there will be a clearer picture.
Tanguy Van Overstraeten, a partner and global head of law firm Linklaters’ privacy and data protection practice, believes that in the future “businesses need certainty and a more unified approach” regarding sanctions, enforcement, and interpretation of the GDPR across the European Union. He points out that while there is growing harmonization within the European Union (as well as in third countries with similar data rules), he says “there are still significant differences” between member states on issues as wide-ranging as the age of children requiring parental consent, guidelines on the use of “cookies” on Websites, and criminal records.
Many lawyers agree there needs to be greater standardization, but they concede this is currently difficult to achieve: European regulators now apply different rules for the calculation of fines, for instance, which means there is little consistency in penalties from one EU member state to another.
Some believe, however, there will be greater alignment in the way EU data protection authorities interpret and enforce the GDPR in the coming year due to the number of decisions coming down the pipeline, as well as decisions around appeals likely to be published (even if delayed).
“Enforcement approaches between EU [data protection authorities] are likely to become more aligned as more decisions are appealed, and appeal rulings are released, which will provide greater clarity about how penalties are arrived at,” says Annabel Gillham, a partner in the data protection team at law firm Morrison & Foerster.
“It takes time under new laws for cases to be investigated and for enforcement action, if appropriate, to follow,” says Helen Davenport, data privacy partner at law firm Gowling WLG. “The GDPR is no different.”
For some, however, the focus on fines is “irrelevant,” particularly regarding the actions of Big Tech.
Tech company Brave Chief Policy Officer Dr. Johnny Ryan says the only effective way to tackle data abuses is to prohibit abusive practices. As such, he has a negative view of the effectiveness of many of Europe’s data protection authorities so far.
“The U.K.’s ICO has not managed to make its larger fines stick and has backed off Big Tech problems,” says Dr. Ryan. “Over two years since I blew the whistle about what our industry was doing to target ads, the ICO has yet to use any of its statutory powers to investigate the issue or to protect people in the U.K. from it.”
“The only true way to measure a regulator’s effectiveness is to ask: ‘Have we stopped the harm? Have we stopped the business models that allow the harms to take place? Have we prevented these abusive practices from happening again?’ The answer to all of these questions is ‘no.’ A fine may not necessarily change how a company operates. Forcing firms to change the way they process and handle data is the only way forward.”