The European Union’s data protection authorities have been flexing their regulatory powers under the General Data Protection Regulation over the past year, increasingly imposing larger fines and other enforcement actions.
In 2020, EU authorities issued around €158.5 million ($192 million) in fines, a 39 percent increase on the previous 20-month period—from May 2018 when enforcement of the law began and all of 2019—said law firm DLA Piper. The fines in 2020 accounts for 40 percent of all fines imposed since the law went into effect.
European regulators began "testing the limits of their powers this year, issuing fines for a wide variety of infringements of Europe's tough data protection laws," DLA Piper said.
Regulators have the authority to issue heavy fines—up to €20 million euros ($22.8 million), or up to 4 percent of the organization’s annual worldwide revenue—to organizations found violating the law. The largest GDPR fine to date is the €50 million fine against Google by France’s CNIL data protection supervisory authority in January 2019. The second largest penalty was the €35.26 million fine against global retailer H&M Hennes by Germany in October 2020. The third largest penalty was imposed by Italy’s Garante on telecommunications operator TIM for EUR27.8m (USD33.9m / GBP25m).
The fourth and fifth largest fines for GDPR violations came from the United Kingdom’s Information Commissioner’s Office, but in both cases, the original sum was significantly reduced after appeals. The United Kingdom’s £189.39 million fine on British Airways was dropped a staggering 90 percent to just £20 million. The £99.3 million fine on Marriott for the data breach where information belonging to 339million guests were taken was slashed 80 percent to just £18.4 million. The ICO discounted the final penalties in light of financial hardship related to the economic pressures caused by the COVID-19 pandemic.
Regulators “haven’t had it all their own way, with some notable successful appeals and large reductions in proposed fines,” DLA Piper said.
Each country has its own data protection authority, but some countries have been more assertive than others in enforcing GDPR. Of the GDPR fines imposed since May 2018, over half, or €192.8 million ($234 million), came from Italian, German, and French data protection authorities. Just six countries have imposed more €10 million in total fines to date: Italy at €69.3 million, Germany at €69 million, France at €54.4 million, the United Kingdom at €44.2 million, Spain at €14.5 million, and Sweden at €11.5 million. Only three—Bulgaria, the Netherlands, and Poland—have crossed the €1 million mark over the past 31 months.
Ireland is expected to be a key regulator because several large technology companies have their European headquarters within its borders. Ireland’s Data Protection Commission was juggling at least 23 investigations into Apple, Facebook, Google, LinkedIn, Tinder, Twitter, and Verizon in 2020, but progress has been hampered with a small budget and not enough resources. Ireland’s DPC has brought just €715,000 in fines, so far.
The variations across data protection authorities in what they have done so far under GDPR reflects the differences in how each country interprets and enforces the law. “This regulatory uncertainty is particularly challenging for multinational organisations with operations in multiple countries,” according to the DLA Piper report.
Overall, the GDPR fines haven’t been as high as they could have been—but individual fines have been increasing over the past few months. Of the ten highest fines imposed to date, six were penalties from 2020 and one in 2021—earlier this month. The highest in 2020 was the €35.3 million fine German regulators slapped on H&M Hennes in October 2020. The fine in 2021 was also by German regulators, against notebooksbilliger.de for €10.4 million.
Several of the large fines in 2020 were related to security violations. GDPR requires organizations to implement “appropriate” technical and organisational controls to protect the data, and regulators are showing they will call out organizations who fail to do so. Data protection authorities have specified the activities they consider appropriate when establishing penalties—such as monitoring privileged user accounts, monitoring access to, and use of, databases containing personal data; hardening servers to prevent access to administrator accounts; encrypting personal data; using multi-factor authentication to prevent unauthorized access to Internet-facing applications; strict access controls for applications; not storing passwords in plain-text unencrypted files; and logging failed access attempts.
The authorities have not been focusing exclusively on security mistakes leading to data breaches—they have also been actively enforcing the data protection principles, such as transparency, fairness, and lawful basis for processing the data. Enforcement actions have penalized organizations with “overly complex privacy notices and notices deemed to be insufficiently granular, inaccurate or incomplete,” DLA Piper noted in the report.
“For anyone who has had to draft privacy notices, transparency is a conundrum. Include too much detail and it may not be understandable to your audience, breaching GDPR’s transparency principle. Include too little and you risk being sanctioned for providing incomplete or inaccurate information.”
One of the reasons the fines haven’t been near the maximum amount possible under the law may be tied to some uncertainties on how fines should be assessed, according to DLA Piper’s report. While the common interpretation is that fines should be assessed against the organization’s total global revenue, “legally binding articles” of GDPR appear to limit the assessment of fines to just the revenue of the specific entity within the organization responsible for violating GDPR. There is also ongoing discussion whether fines for violations that affect integrity and confidentiality of data are capped to a lower (2 percent) amount than those for security violations.
“The many open legal questions and uncertainties in the interpretation and application of GDPR perhaps explain, in part, why the fines imposed to date by supervisory authorities have been at the lower end of the scale of potential maximum fines,” DLA Piper’s report noted.
Regulators have the ability to suspend data transfers altogether when they are considered unlawful—or to delete data collected unlawfully. This authority hasn’t been used much yet, but it may have more of an impact on how organizations process and handle data than just fines.