The EU General Data Protection Regulation (the “GDPR”) has been in force for just under a year now. Prior to its coming into effect, a key topic of concern for many companies was the ability of Supervisory Authorities (EU Data Protection regulators) to impose potentially enormous fines.
In the run up to GDPR implementation, a huge number of media articles, industry reports, advisory notes from law firms etc. were published, all seeking to impress the potentially crippling size of these fines.
In many cases, it seems that this regulatory ‘stick’ drove many positive efforts by companies to get in line with the requirements of the GDPR.
However, despite this initial furor, the number, and size, of administrative fines imposed has been almost surprisingly low; particularly so considering the number of complaints made to Supervisory Authorities by data subjects and public interest groups, as well as the amount of personal data breaches reported to them by companies.
GDPR fines to date
Based on this February 2019 Report from the European Data Protection Board, the total amount of administrative fines imposed under the GDPR by all Supervisory Authorities in the EU was €55,955,871 at that point in time.
Although some small fines have been issued since that Report was published – such as the €220,000 fine imposed by the Polish Personal Data Protection Office in March – this number has not increased materially. This means that almost all of this seemingly large number is accounted for by the €50,000,000 fine imposed on Google by the Cnil (the French Supervisory Authority).
As is readily-evident from the figures above, this means that the Google fine represents the only significant administrative fine imposed in the first year of the GDPR.
Does this all mean that the risks of administrative fines was overblown? Probably not.
The inactivity of Supervisory Authorities when it comes to levying fines during the first year of the GDPR should not be taken as having significant precedential value. That first year should likely be seen as a transition period. Supervisory Authorities had to conclude investigations started under the previous regime, prepare and issue new guidance, establish new enforcement approaches, and deal with a flood of data breach reports from companies seeking to comply with the GDPR’s new data breach reporting requirements. All this in addition to actually conducting the investigations that might ultimately result in fines.
It appears that Supervisory Authorities may now have their houses sufficiently in order to enable them to start taking serious enforcement action, including issuing fines.
Appearing before the U.S. Senate Committee on Commerce, Science and Transportation on May 1st, Helen Dixon (the Irish Data Protection Commissioner) was keen to stress that:
- fines were coming in the “coming months” (so likely in summer 2019); and
- they were going to be “substantial”.
Given that a large number of U.S.-based global internet companies have determined the Irish Data Protection Commission to be their lead supervisory authority in the EU, any enforcement action it takes will be keenly followed. It will have significant precedential value across the EU, given the level of co‑operation with other Supervisory Authorities that will likely have occurred due to the cross-border nature of these companies’ processing activities.
Elizabeth Denham (the UK Information Commissioner), speaking on a panel at the International Association of Privacy Professionals’ Global Privacy Summit on May 2nd, also noted that the UK Information Commissioner’s Office (the “ICO”) “will be adding to that momentum this spring with a couple of very large cases that are in the pipeline”. Ms. Denham also flagged that it was vital that Supervisory Authorities set a strong precedent in terms of the enforcement action they take, and noted particular areas of priority for the ICO to be violations involving advertising technology and processing of children’s data.
Again when speaking to the U.S. Senate, Ms. Dixon highlighted that complex investigations likely to result in significant sanctions take time to build, conduct, and conclude. In addition to establishing the basis of the investigation, she flagged the various procedural steps that need to be implemented (e.g., permitting participation of affected parties in that investigation; and interacting with other Supervisory Authorities in the context of cross-border processing).
What does this mean?
All in all, it looks like by the end of the summer, we will have a far better understanding of:
- the true scale of administrative fines companies are at risk of having levied against them under the GDPR; and
- the issues Supervisory Authorities consider constitute more (or less) significant issues when it comes to GDPR non-compliance.
Although, to date there has been limited enforcement activity in the way of fines to date, it is coming and it is likely to be significant.
Companies should not rest on their laurels and take this lack of enforcement activity to date as an indication that they can relax, or worse cease, the ongoing steps they should be taking to comply with the GDPR.
The issuance of further and material administrative fines by Supervisory Authorities will (except for recipients of those fines) be extremely useful for companies looking to refine their GDPR compliance approach. Companies and privacy professionals alike have been assessing risk and risk mitigation steps in something of a vacuum – the more precedent established, the better potential risk can be analysed and avoided.