Despite the global angst preceding the GDRP’s effective date, there’s been seemingly little news about enforcement efforts against noncompliant businesses. But, the reality is that EU regulators have been very busy working behind the scenes. As of February, 2019, nearly 100,000 claims under the GDPR have been lodged with EU national data protection authorities (“DPAs”), many relating to telemarketing and promotional e-mails. Similarly, just over 40,000 data breaches were reported to the DPAs; and 255 investigations into EU cross-border processing activities were initiated, mostly as a result of complaints filed by individuals.
Although sanctions are sure to follow, they are certainly not handed down lightly. In fact, the GDPR requires the merits of each case to be vetted through a painstaking, time-consuming validation process involving both the investigating DPA and the European Data Protection Board, an informal working group comprised of representatives from each of the 28 DPAs. Ultimately, there will be many more claims than actual fines issued because the regulators generally try to bring alleged infringers into compliance by ordering them to take certain corrective actions in lieu of issuing actual fines. In some cases, regulators will conduct unannounced, on-site audits or “raids” before taking any action; and for companies not physically located in the EU, an on-line audit is possible. When penalties are imposed, they will be commensurate with a certain category of breach, as specified by the GDPR, and levied directly by a DPA without a court-issued enforcement order.
If we examine the past year’s enforcement activity, we can actually learn quite a lot. First, we see that three national regulators, The Netherlands, Germany, and the UK, have been particularly active in investigating claims and bringing enforcement actions. This isn’t all that surprising regarding the first two since these DPAs have always been at the forefront of protecting individuals’ fundamental rights and freedoms. However, it is more surprising for the UK, historically perceived as being more business-friendly than other countries in the EU.
More importantly, though, the fines issued so far reveal three general areas of noncompliance:
- Lack of transparency If a company does not have a GDPR policy, or if the policy lacks the level of detail required by the GDPR, it is more likely to be fined by the DPAs. A company also increases the likelihood of facing enforcement action by conducting business in a way that directly contradicts what is written in its GDPR policy. On January 21, 2019, the French DPA imposed a €50 million fine on Google for alleged GDPR violations of the transparency, notice and consent requirements.
- Denial or disregard of user access rights Under the GDPR, individuals have enhanced rights around their data, which they can exercise at any time for a variety of purposes. Specifically, an individual may seek access to their data, or may request to correct it, object to the processing, or request that their data be erased completely (otherwise known as the “right to be forgotten”). Entities subject to the GDPR must respond to such requests within 30 days. By responding late, or ignoring the request altogether, a company will be in breach. France’s case against Google also involved these failings.
- Failure to safeguard data The GDPR mandates certain technical safeguards to be implemented to protect data such as the use of minimum levels of encryption, of regularly updated passwords, of back-up systems, the ability to retrieve lost data, and documentation explaining why measures like these are appropriate based on the type of data being collected. If a data breach is discovered, GDPR-subject companies have an obligation to report the breach to authorities within 72 hours, as well as to notify all affected users without undue delay. In November 2018, the German DPA of Baden-Württemberg imposed a €20,000 fine on a social network operator for failing to protect users’ personal data.
As more sanctions are imposed and shared with the global business community, we recommend that our clients who are subject to the GDPR heed the lessons learned, and if necessary, refine their compliance efforts accordingly.