The stats are in for the first year of GDRP, Europe’s gold-standard data privacy law. GDPR fines totalled €56M, with more than 200,000 investigations, 64,000 of which were upheld.
However, the fines were dominated by a single case, with most ranging in the single-digit thousands …
As our sister site 9to5Google noted back in January, €50M of the €56M total was a single fine against Google. France’s National Data Protection Commission (CNIL) found that the company failed to comply with its obligation to be transparent about the data it was collecting and using to serve personalized ads.
Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information
Legal database Lexology rounded-up the GDPR fines imposed in each European country, finding that relatively few fines have been imposed, and these were generally for small sums.
Google aside, examples ranged from countries like Slovakia and Sweden, who have yet to issue a single fine, to countries like Poland, Portugal, Spain, which have fined companies several hundred thousand Euros.
The Netherlands is an interesting example: it has issued only one fine, but that was a sizeable one.
Only one fine has been imposed: Uber was fined EUR 600,000 for breaching the reporting obligation for data breaches. This data breach took place at the Uber Group in 2016 (since 2016 there was already an obligation to report data breaches in the Netherlands, but with much lower penalties): unauthorised individuals were given access to customers’ and drivers’ personal data (names, email addresses and phone numbers). The Uber group was fined because it did not inform the DPA and the data subjects involved within 72 hours following the discovery of the data breach.
Austria has issued only three GDPR fines, all for tiny amounts.
In Austria, first breaches of the GDPR can basically only be sanctioned by a warning; the Austrian DPA imposes fines from the second breach onwards.
So far three fines have been imposed by the Austrian DPA, all of which involved illegal video surveillance. The fines ranged from EUR 300 to 4800.
The BBC notes that Ireland is of particular interest due to the number of tech giants whose European operations are based there. Apple is among the companies to have been investigated, but of the 19 investigations to date, 11 are into Facebook and its subsidiaries.
Most of the major US tech companies, including Facebook, Google, Microsoft, Twitter, Apple, LinkedIn, Airbnb and Dropbox, are registered for processing personal data in Ireland.
Ireland’s Data Protection Commission says it has launched 19 statutory investigations, 11 of which focus on Facebook, WhatsApp and Instagram.
Twitter and LinkedIn are also under investigation, and last week the commission launched a probe in to Google over the way it uses personal data to provide targeted advertising […]
The most common concerns are about the legal basis for processing personal data, lack of transparency about how a company collects personal data, and people’s right to access their data.
Facebook says it is cooperating fully with the investigations.
A Facebook spokesperson said: “We spent more than 18 months working to ensure we comply with the GDPR.
“We made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. We are in close contact with the Irish Data Protection Office to ensure we are answering any questions they may have.”
GDPR fines can go as high as 4% of a company’s total global turnover in the most serious of cases.
GDPR in the US
Some companies, including Apple and Microsoft, have already pledged to extend GDPR-standard privacy protections to their customers worldwide. However, there are growing calls for a US federal privacy law modelled after GDPR.
Apple CEO Tim Cook has made repeated calls for a US federal privacy law that would mirror GDPR protection, including in a TIME magazine op-ed. Microsoft recently backed that call.
There is bipartisan support for a federal privacy law, but no consensus on the best approach.