A little over one year has passed since the General Data Protection Regulation (GDPR or “Regulation”) came into effect. In that time, as expected, consumer complaints, administrative fines, and regulatory action have markedly increased. Trends in GDPR enforcement to date provide insight into the effectiveness and potential weaknesses of compliance strategies.
The GDPR, a privacy law that is in effect in the European Economic Area (EEA) (i.e., the European Union (EU) countries plus Iceland, Lichtenstein, and Norway), is rooted in the European view of privacy as a fundamental right.1 Accordingly, the GDPR takes an expansive approach to the protection of personal data and defines such data broadly, encompassing all information that relates to an identifiable natural person.2 Any processing, including collection, organization, storage, use, disclosure, and even deletion of data, similarly falls within the ambit of the Regulation.3 Perhaps most notably, the GDPR applies extraterritorially (even to companies established outside of the EEA)4 and imposes hefty fines for noncompliance (up to four percent of annual global turnover or €20,000,000, whichever is greater).5
Finding Clarity in Enforcement Trends
The post-GDPR landscape has been shrouded in uncertainty. In the first year, data protection authorities (DPAs) reported over 144,000 complaints and inquiries, as well as more than 89,000 data breaches, with nearly all DPAs reporting a significant increase in activity compared to 2017.6 As expected, France, Germany, Ireland, Spain, and the United Kingdom have been most active. The resulting enforcement actions provide insight on how DPAs intend to implement the GDPR moving forward,7 particularly with respect to extraterritorial enforcement, fines and other penalties, and the types of violations most likely to draw scrutiny.
The UK Information Commissioner’s Office (ICO) served its first enforcement notice8 in July 2018 on an obscure Canadian company, AggregateIQ (AIQ), which has links to the Brexit referendum and the 2016 U.S. presidential election. The ICO alleged that AIQ processed data without lawful basis, proper notice, or consent, which AIQ used to target individuals online with political advertisements. The ICO asserted jurisdiction based on AIQ’s collection of data from, and tracking of, individuals located in the UK. Although AIQ initially challenged the ICO’s jurisdiction, it ultimately complied, likely as a result of cooperation between Canadian regulatory bodies and the ICO, as well as the ICO’s narrowing of compliance requirements.9
In late 2018, the ICO determined that The Washington Post, a U.S.-based news organization, violated the GDPR because it did not offer a free method of disabling cookies, which track a user’s online activity. One either had to pay for membership or consent to cookies to access The Washington Post’s website.10 Despite the ICO’s execution of a memorandum of understanding with the Federal Trade Commission for mutual cooperation in investigating alleged privacy violations, the ICO merely issued a warning and reportedly acknowledged in a statement that “there is nothing more we can do in relation to this matter” should The Washington Post refuse to comply.11
Meanwhile, the European Data Protection Board (EDPB), the EU body in charge of the application of the GDPR, issued guidelines on the extraterritorial scope of the GDPR that discuss enforcement through representatives in the EU of companies not established in the EU.12 U.S.-based companies continue to watch for signs of the DPAs’ willingness or strategy for extraterritorial enforcement of the GDPR, but it is apparent that these efforts will largely depend on the seriousness of the violation and will rely, at least in part, on cooperation with local authorities.
Fines and Other Penalties
In the first nine months of the GDPR, fines imposed totaled €55,955,871.13 The bulk of this amount, however, consists of the French DPA’s (CNIL’s) €50,000,000 fine against Google for failing to comply with transparency obligations regarding data processing.14 This penalty is significantly higher than the €100,000 fine imposed on Google just two years earlier under the GDPR’s predecessor, the Data Protection Directive, for failing to delete data subjects’ information.15 Fines will likely continue to intensify in frequency and amount. Indeed, just in July 2019, the ICO issued notices of intention to fine Marriott and British Airways more than €109,000,000 and €202,000,000, respectively, relative to data breaches in late 2018.16
Headline-making fines tell only part of the story. Fines in the hundreds to tens of thousands of Euros have also been imposed, signaling that DPAs are just as interested in small companies and relatively minor infractions as they are in tech giants and large-scale violations.17 Although not as frequently publicized, DPAs have also ordered cessation of processing,18 various corrective actions,19 and prohibition of popular software (e.g., Microsoft Office 365),20 which for a business can have just as significant an impact as a substantial fine.
Effective Compliance: Learning from Guidance, Mistakes, and a Shifting Landscape
By June 2019, 73 percent of Europeans knew at least one of their rights under the GDPR;21 DPAs had identified issues of local concern;22 and the EDPB continued to issue guidance regularly. In April 2019, for example, the EDPB released 14 pages of guidance on Article 6(1)(b) alone, delineating the Regulation’s requirements with respect to contracts for online services.23 Companies have a tremendous opportunity to learn not only from formal guidance issued by DPAs and the EDPB, but also from the complaints that have been made by an increasingly aware populace, and from the mistakes of others caught in enforcement actions.
For instance, analysis of the past year’s enforcement actions reveals the types of violations that are the focus of consumers and DPAs. Ensuring a lawful basis for data processing and obtaining proper consent are primary concerns (see, e.g., CNIL’s groundbreaking €50,000,000 fine against Google this year for the company’s failure to obtain valid consent for targeted advertisements).24 Overall, 21 percent of the complaints filed in France related to digital marketing practices.25 In June 2019, the ICO warned the advertising technology industry that its practice of processing special categories of data (i.e., data concerning race, ethnicity, and sexual orientation, among others) without explicit consent violates the GDPR.26
Ensuring data subjects’ access to their data continues to be a high priority. In its third ongoing investigation of the corporate giant, the Irish DPA opened an inquiry into Apple’s responses to consumers’ Data Subject Requests.27 Similarly, in November 2018, the Dutch Ministry of Justice and Security questioned Microsoft’s data collection telemetry system in Office Pro Plus.28 A few months later, the European Data Protection Supervisor followed up with an inquiry into the contracts between Microsoft and EU institutions.29 The right of access is also at the core of a class action lawsuit filed against Google in a French administrative court, in which a consumer group alleges that Google’s “endless confidentiality rules” are “a veritable obstacle course” in violation of the GDPR.30
Data breaches remain a serious concern, as evidenced by the ICO’s recent notices stating its intention to fine Marriott and British Airways.31
It is clear that DPAs are carefully scrutinizing GDPR compliance efforts. Accordingly, it will not be enough to simply have some mechanism to obtain consent, to have some basis for data processing, or to employ the simplest data security measures. Companies instead should continuously reevaluate their compliance strategies to keep pace with an ever-shifting regulatory landscape. Indeed, the GDPR is here to stay, and many jurisdictions are quickly following with their own comprehensive data privacy laws.