One Year Later: How are the Regulators Enforcing the GDPR?

We are coming up on the first anniversary of the European Union’s General Data Protection Regulation (“GDPR”), one of the most anticipated data protection regulations in recent memory. Love it, hate it, indifferent — regardless of your personal feelings, the GDPR made waves. It was the catalyst that caused companies across all industries to start the conversation around data, security, and information governance.

And why did companies both in and outside of the EU start to pay attention? The answer is short: fines and regulatory actions. The GDPR provides data protection authorities (“DPAs”) (i.e., the enforcing bodies within each EU member state) with the authority to fine companies up to 4% of global revenue or 20 million euros, whichever is higher. See Art. 83. Nothing makes the management stand up and pay attention like a real hard number that will directly affect the bottom line. What is often not discussed is that beyond the fines, the GDPR provides these DPAs with the power to dictate how companies can use (or not use data):  and this cost could be an extinction level event for a company.

But, one year out, how influential has the GDPR been? Are these fines really making an impact? Are the regulatory authorities able to use the GDPR as a sword, forcing companies to take data management and individual data rights seriously?

The DPAs have not taken a back-seat to see how companies will comply with the GDPR.  We have seen active enforcement from a number of EU member states. And, while this will not be an exhaustive list of the sanctions issued or companies under investigation, we have outlined some noteworthy actions taken by the DPAs to date.  

Starting with the UK’s ICO, the ICO currently lists 57 enforcement actions that have been taken by the ICO under the GDPR since May 25, 2018. The majority of these actions involved monetary penalties or enforcement notices. The first GDPR enforcement notice issued by the ICO under the GDPR was against Aggregate IQ Data Services Ltd (“AIQ”) on July 6, 2018. The ICO found that AIQ, a Canadian-based company, violated the GDPR in the processing of personal data since the data subjects were unaware of the data processing (i.e., a prima facie violation of the GDPR).

And, just in case you thought the government itself may be immune to the reach of the GDPR, the ICO recently investigated the HM Revenue and Customs (HMRC) (UK’s tax authority) and found that the HMRC failed to obtain valid consent when using the voice ID system. The HMRC is being forced to delete the voice records of millions of taxpayers and to obtain valid consent for any of its remaining voice records.

The French DPA (“CNIL”) made headlines with its 50 million euro penality assessed against Google early in 2019. Two associations (None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”)) complained to the CNIL regarding Google’s lawful basis for processing personal data (i.e., Art. 6), especially as it related to Google ad services. After investigating the matter, the CNIL found that Google was not transparent in its data processing activities and failed to obtain valid consent from the data subjects for the processing of the personal data. The CNIL justified its 50 million euro fine because these violations are continuous and impact a large portion of the French population. Further, the CNIL directed Google to reframe its data processing activities in order to comply with the GDPR — a very significant penalty for Google since it strikes at the heart of Google’s business model.

Not surprising, Germany has been another active DPA since last May. On Safer Internet Day (February 5, 2019), the Bavarian DPA conducted an assessment of forty websites, finding all to be fully or at least partially non-compliant with the GDPR. The findings focused on two aspects: transparency and consent.  Under transparency, ¼ of the websites used tracking tools and included that information in their privacy policies. However, the remaining ¾ of websites reviewed either had no information regarding the tracking tools used or the information provided was insufficient. For consent, all of the websites were found to either not seek consent or the consent obtained did not comply with the relevant data protection laws.

Poland’s DPA issued its first GDPR fine in April of this year. Poland fined Bisnode, a data analytics and marketing company based in Sweden, 220,000 euros for failing to provide adequate information to data subjects regarding the information it obtains on these individuals. When an entity receives information from a source other than the data subject, Article 14 outlines the various types of information that are to be provided to the data subject as soon as possible after receipt of the data. While fines are never fun for a corporation, Poland’s “real” sanction against the company in the form of requiring Bisnode to comply with Article 14 by reaching out to 6 million people and providing appropriate notifications. Bisnode estimates the cost of this exercise to be approximately 8 million euros (making the merely 220,000 euro fine look paltry in comparison).

Finally, Ireland has garnered a lot of attention since some of the top global tech companies call the island their EU home (and earned Dublin the nickname, “Silicon Docks”). The Irish DPC is taking heat for failing to take any enforcement actions to date, especially since it has direct jurisdiction over what appear to be the major tech offenders these days (think Facebook, Twitter, etc.). And, while Ireland has not taken any definitive action against any companies, the Irish Data Protection Commissioner Helen Dixon testified before US lawmakers this week stating that her office is conducting extensive investigations and that she anticipates that fines will be “substantial.”   

So, one year into the GDPR, what do these regulatory actions taken mean for companies? One, while you could argue that these fines and regulatory actions have been slow-coming, they are coming. And yes, the fines have been — nominal at best. (The same criticism could be said on the US side with FTC’s recent settlement negotiations with Facebook regarding its mishandling of personal data). The CNIL’s fine against Google amounted to less than 2% of the total fine that could have been issued under the GDPR (under Article 83, fines can be a maximum of 4% of global revenue or 20 million euros, whichever is higher). Frankly, the fines are not what should be concerning companies. It is the injunction against the use of personal data that really hits home. For Bisnode, they are looking at either spending 8 million euros to notify individuals, or deleting all of the information collected that is not in compliance with the GDPR. These penalties far surpass the monetary fines issued by Poland’s DPA. For Google, the CNIL’s decision went to the heart of their business model and attacked its method of obtaining consent for the processing of data. If upheld, the CNIL’s decision could be far more costly to Google than the 50 million euro fine.

Second, the DPAs have shown that they will proactively audit companies for GDPR compliance, needing no other resources than your outward facing company information (website, application, etc.). The Germany DPA merely reviewing 40 websites and found non-compliance. Companies need to be on notice that external facing information is the fastest and easiest way for the DPAs to find non-compliance.

Third, while the DPAs are still setting up their infrastructures and building out their resources, data subject complaints are the fastest way that companies are being brought to the attention of the DPAs. It is a double-edged sword for companies: data subjects are highly motivated, know their rights, and want to regain control of the collection, processing, and storage of their personal data.  On the other hand, the DPAs are highly responsive to these complaints and using these complaints to prioritize the companies to investigate. Maintaining the confidence of the data subjects is key to staying out of the regulatory spotlight.

Even one year into the GDPR, we are still only starting to see the impact of the Regulation. And, the role of the regulatory authorities is only going to grow. Soon, the court’s will start to weigh in more heavily, ensuring the appropriate balance of ensuring compliance with the GDPR and fairness in how it is applied. As a company located in the EU or doing business in the EU, staying abreast of the investigations and fines by the DPAs is key. Waiting until a DPA knocks on your door is not a defensible position under the GDPR; you need to be ready with a comprehensive and cohesive response to prove your GDPR compliance. With all aspects of privacy and security, and especially when dealing with regulatory authorities, luck favors the prepared!       


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.