GDPR Implementation and Fines – A One Year Review
It has been almost a full year since May 28th, 2018 when the EU’s General Data Protection Regulation (GDPR) went into effect. The policy lays out the responsibilities of companies to ensure the protection and privacy of their consumer’s personal data. In addition, it provides certain rights to personal data and grants regulators the power to impose fines on organizations that are not GDPR compliant.
In the first nine months of GDPR taking effect, the European Data Protection Board (EDPB) found that there were over 200,000 cases reported. Approximately 65,000 cases were data breaches reported by a data controller and 95,000 were complaints. Of the 200,000 cases, 52 percent have been closed, and 1 percent are currently being challenged in national courts.
GDPR Fines and Non-Compliance – Case Studies
The GDPR imposes stiff fines on companies for non-compliance. According to the GDPR, there are 10 criteria used to determine the amount of the fine:
- Nature of Infringement – # of people affected, type of damage, duration of infringement, and purpose of processing.
- Intention – if the infringement is intentional or negligent
- Mitigation – action taken to mitigate damage
- Preventative Measures – the level of preparation prior to the incident
- History – past relevant infringements, whether under the GDPR, the Data Protection Directive, or past administrative corrective actions under the GDPR
- Cooperation – the level of collaboration between the firm and supervisory authority in remedying the infringement
- Data Type – what types of data were impacted (see GDPR special categories of personal data)
- Notification – how the infringement was reported to the supervisory authority
- Certification – whether the firm was GDPR certified prior to the breach or adhered to approved codes of conduct
- Other – other aggravating or mitigating factors
The GDPR lists two levels of fines. The lower level is up to €10 million, or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher. The higher level is up to €20 million, or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher.
In the past year, GDPR violations have resulted in fines totaling €56 million. The largest fine was imposed on Google for €50 million in January. The French data protection agency (CNIL) found that Google was not properly disclosing to users how data is collected. Specifically, Google was in two breaches of GDPR. The first violation was with the obligations of transparency and information. Google’s information about data processing and data storage were not easily accessible to users. To access the relevant information about ads personalization, users had to go through 5 or 6 actions across several documents to find complete information on their data. Users are also not able to understand the extent of the processing operations. Google carries out large operations to provide its services, and the company’s policies about the purposes of processing are described in generic terms. The information communicated is not clear enough for the user to understand the legal basis of processing operations for the ads personalization.
The second violation was the failure to provide a legal basis for ads personalization processing. The CNIL claims that user’s consent is not validly obtained. Users’ consent is not sufficiently informed because the information on the processing operations for the ads personalization is spread out and prevents users from understanding the extent of information and services involved. In addition, when an account is created, the user must go through additional steps to configure the display of personalized ads. There is a lack of affirmative consent from the user because the option to display the ads is pre-ticked. Therefore, GDPR’s definition of consent is not respected when creating a Google account.
While the committee decided to not enforce a higher fine, the decision signals a warning shot to tech companies. Given the high-profile of the case coupled with the importance ads personalization to Google’s business model, the fine serves to reinforce the importance of ensuring GDPR compliance for businesses that fall under its jurisdiction. Google has decided to appeal the decision.
The second case study involves the German chat platform Knuddels.de. Knuddels experienced a data breach where hackers were able to obtain 800,000 user email addresses and over one million user pseudonyms and passwords. The hack was due to user information being stored in unencrypted plain text. Despite the severity of the data breach, with the information of 330,000 being published online, the German Data Protection Authority (DPA) decided to only fine Knuddels €20,000. Knuddels swift response, cooperation, and communication both with its users and the GDPR demonstrated its commitment to data protection and resulted in a lower fine. The DPA stated that it “is not interested in entering into a competition for the highest possible fines. In the end, it’s about improving privacy and data security for the users.”
What Can Businesses Learn from 2018-2019?
Here are three takeaways businesses should remember after a full year of GDPR:
- The Google and Knuddels cases demonstrate that regulators are not seeking the highest fines for companies. A company’s response to non-compliance or data breaches can significantly influence the resulting fine for a GDPR violation.
- The vast majority of cases are either data breaches or complaints. About half of the complaints are related to how subject access requests have been handled. Businesses should focus on ensuring their subject access requests are GDPR compliant and provide a robust policy to ensure overall compliance (please see our “GDPR GOES INTO EFFECT ON MAY 25, 2018” article for reference).
- Regulators have called the 2018-2019 year a “transition year,” and we should expect the volume of cases to increase in the future. If a business does experience a data breach or violation, it is imperative that they cooperate in a swift and communicative manner.
While GDPR enforcement will continue to change in the future, businesses should develop swift response protocols to GDPR non-compliance as it can result in significantly lower fines from DPAs.
If you have questions or concerns relating to GDPR or being GDPR compliant, give Saper Law a call at 312.527.4100