Enforcement actions for breaches of the EU’s General Data Protection Regulation (GDPR) could come before the end of the year, according to the European Commissioner for Justice Věra Jourová. The legislation, which has significantly strengthened consumers’ rights to privacy and data protection in the EU, introduces the possibility of mammoth fines. Breaches of the GDPR can cost companies up to 4% of their global turnover. While organisations processing large amounts of customer data are particularly at risk, no sector escapes scrutiny.
For the European Commission and several national governments, hefty fines for major technology companies would be a crowd-pleasing move, particularly with the wave of anti-US sentiment across the EU. Just days after the GDPR became applicable, French digital advocacy group La Quadrature du Net filed complaints against five US companies. Privacy activist Max Schrems swiftly filed four complaints the day the GDPR became enforceable. Schrems went as far as creating his own not-for-profit foundation, None of Your Business, to pursue GDPR complaints.
US firms are not the only targets for enforcement action. Ticket reselling site Ticketmaster is likely to be the first test for the UK’s data protection authority. Having recently reported a breach that affected 40 000 companies between September 2017 and June 2018, Ticketmaster holds the dubious title of reporting the first major breach of two data protection regulations. Both the Data Protection Act 2018 — the implementing law of the GDPR — and its predecessor, the Data Protection Act 1998, could apply. While the earlier legislation limited fines to GBP 500 000, Ticketmaster will face a much larger fine if the new act applies.
The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP), is testing the first months of the GDPR by investigating a randomly selected group of organisations every year to test their compliance. Based on the first investigations, the signs are not optimistic for data protection: a recent survey found that 40% of Dutch municipalities were in breach of the GDPR because they had no privacy statement on their website. The AP hopes that its investigations will incentivise companies in the Netherlands to reconsider their compliance with the GDPR.
German authorities are also considering their approach to the GDPR. In contrast to other EU member states, their focus is on preventing lawyers from creating an industry set on filing GDPR complaints. The German government originally wanted to pass a law banning the “mass sending of warning letters” — which of course is one word in German — for breaches of the GDPR. It would have temporarily stopped anyone from earning money by sending warning letters for a period of two years. The centre-right CDU/CSU wanted to introduce a legislative quick fix before the summer recess began, but the centre-left coalition party, the SPD, wanted a more careful, wide-ranging law. Recently, a junior minister from the German government informed the national parliament that the possibility of amendments to the GDPR would be a “main topic” of the German Presidency of the Council of the EU in 2020. This gives national authorities two years to test out their varying monitoring and enforcement strategies. Headline-grabbing fines will be imposed on non-compliant organisations.
Once the threat of fines has materialised, there is likely to be a second wave of compliance actions as organisations urgently reconsider their data protection policies. The German prediction of a GDPR industry is true to some extent. As the GDPR becomes embedded in company policies, tools and services to ensure compliance are likely to emerge and organisational behaviours will change.
Author: Kirsten Williams, Policy Analyst, Access Partnership