The GDPR hasn’t gone away. In fact, the truth is that it is really just getting started as regulators, not all, become more assured in their own compliance policies and strategies.
In previous blog posts we looked at the first annual report from the DPC since the GDPR was introduced in May 2018. Following on from that, we did an evaluation of the effectiveness of the GDPR which assessed its effectiveness about 15 months past its inception. The GDPR has once again been the subject of debate recently, with this debate emanating from the perspective of enforcement. Most notably, there has been harsh criticism of the Irish DPC because of a perceived reticence to impose fines. Whether this is justified is examined below.
Some Quick Stats
The most up to date information on the application of the GDPR throughout the EU/EEA provides the following:
- More than 6,700 data breaches were notified to Ireland’s Data Protection Commission (DPC) last year, the second highest level of notifications recorded per capita across Europe.
- Since its implementation in May 2018, the General Data Protection Regulation (GDPR) led to over 160,000 data breach notifications across Europe, according to research from multinational law firm DLA Piper.
- From this total of 160,000, there were about 100,000 reported for 2019. A recent report by DLA Piper showed the Netherlands topped the table with 40,647 data breach notifications reported. The same country had a per capita ratio of 147.2 per 100,000.
- Ireland had a per capita ratio of 132.52 per 100,000, ranking second in the table followed by Denmark.
- European regulators have imposed €114 million in fines (for data breaches) under the GDPR regime to date, with a further €329 million in sanctions threatened. ( See, ‘Ireland ranked second in Europe for data breach notifications’ )
Of most interest to data protection professionals is the type and amount of fines that have been issued to date. In this context it is enlightening to remember that the Irish DPC is the lead regulator for many companies such as Google, Twitter, Facebook, Microsoft, and others. This is in part due to the ‘one stop shop ‘mechanism introduced under the GDPR. Based on the figures for data breach notifications shown above it would be expected that the Irish DPC would have issued numerous fines at this point in time.
New figures compiled by the Italian data protection body Osservatarorio di Federprivacy – which includes data from official sources in 30 countries – show authorities in the EU/EEA imposed 190 fines in 2020.Italy was the most active data protection authority, with 30 actions last year, while the UK was the most punitive, with fines totalling €312 million, some 76 per cent of all sanctions issued. Among the companies to be facing fines are British Airways and Marriot, which are looking at bills totalling £183 million (€214.8 million) and £99 million respectively after being sanctioned by the UK’s Information Commissioner’s Office last year.
Only Ireland and Italy failed to impose any fines. On its face, a failure to impose fines is disconcerting and raises questions about the practical operation of the GDPR. One of the partners at DLA Piper who specialises in cyber security and data protection, suggested fines have been low relative to “potential maximum fines” of €20 million ($22.2 million) or 4% of annual global turnover, “indicating that we are still in the early days of enforcement.“We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”
More on Fines
While Ireland’s DPC has failed to fine anyone, the French regulator has seen fit to fine Google €50million for failing to comply with GDPR obligations. Indeed, the French top the rankings for the level of fines imposed (€51mill.), followed by the Germans (€24.5 mill.), and the Austrians (€18mill.). There is no questioning the ability of the DPC to issue fines, but some are beginning to question a willingness to issue fines. In particular, the Italian regulator has taken the opportunity to level some criticism at the perceived lack of action by the DPC in Ireland. That regulator has tabulated figures, which include data from official sources in 30 countries, showing authorities in the EU/EEA imposed 190 fines in 2019.
Italy itself was the most active data protection authority, with 30 actions last year, even though it was one of the lowest in terms of breach notification numbers. The UK was identified as the most punitive with fines totalling €312million representing 76% of all sanctions meted out. Federprivacy chairman Nicola Bernardi said the failure of the Irish Data Protection Commission to issue fines thus far is a concern given the large number of leading tech companies based here. He expressed concerns that technology companies may be treated with more leniency in Ireland than in other jurisdictions and called for greater consistency to be applied across the EU for dealing with sanctions.
So is the criticism justified?
The Irish DPC has 61 statutory enquiries under way, 21 of which are focused on tech multi-national firms. These include Facebook (8), Twitter (3), Apple (3), Google (1) and LinkedIn (1). (See, ‘Data Breaches in Ireland among highest in EU’. Adrian Weckler, Irish Independent, Jan. 20, 2020.) Informed sources have said the Data Protection Commission is in the final stages of its investigation into WhatsApp over possible breaches of EU data privacy rules, with a draft decision expected to be circulated to other authorities to consider within weeks. This is the first of the commission’s many investigations to approach its end point, with delays blamed on complications that arise from pursuing companies that operate cross-border. Verdicts are expected in the Twitter and Whatsapp cases very soon, according to DPC officials. Helen Dixon has distanced herself from any speculation on the amount of fines that may be imposed, while stating that the recent fine of $5billion levied on Facebook in the U.S. by the FTC is unlikely to be repeated here.
What is clear to informed data protection professionals such as GDPRXpert is that there are extenuating circumstances that explain the non –imposition of fines to date by the DPC. Undoubtedly, a major contributory factor in non-imposition of fines so far has been the volume and complexity of current investigations. Both of these factors have combined to delay the final verdict. Until there is a final verdict rendered, there can be no announcement of any fine. So any criticism must take account of the quantity, the nature, and the attendant quality of investigations that are still incomplete. As noted earlier, the cross- border nature of many of the investigations adds to the complexity. These particular investigations just take time. Every investigation has to be placed within its own particular context. Going back to the stats on breach notification, we saw that Denmark placed third in the table for breach notifications. This needs to be viewed in a manner detached from its apparent face value.
Many of the breach notifications are related to sending the information of one data subject to the wrong recipient, often in an otherwise secure manner, so the majority of breaches are not severe. It is all too easy to make general assumptions from bare statistics or numbers. Context is crucial to a true understanding. Commenting on the country’s top-three position in the GDPR index, Allan Frank, an ICT security specialist at Datatilsynet, Denmark’s data protection regulator, said: “We don’t see Denmark as more prone to cyber-attack.”Instead, Frank said, the country’s public and private sectors were accustomed to “reporting to public authorities in different matters” – including data breaches – through a single web portal.
Earlier in the blog we saw that France had imposed the highest amount in fines, (almost entirely coming from the Google fine) but yet had a very low ranking for the number of breach notifications per capita. There is no direct relationship between breach notifications and the imposition of fines. It has more to do with the nature of a breach and the particular type of breach. There is no automatic fine for merely communicating a breach. What is more salient is whether there was an outright infringement of the regulation that caused the data breach.
“The investigation of cross-border issues is highly complex and takes time to complete, highlighted by the fact that there have been very few decisions with fines issued under the GDPR in relation to cross-border investigations across all 28 EU supervisory authorities since the application of the GDPR in May 2018,” said deputy commissioner Graham Doyle. In principle, regulators can impose fines of 2% or, in some cases 4%, of global turnover. In practice, they will have to judge whether such a heavy penalty would stand up in court, said DLA Piper partner Ross McKean. It’s going to take time – the regulators are going to be wary about going to 4% because they are going to get appealed,” McKean told Reuters. “And you lose credibility as a regulator if you’re blown up on appeal”. Therefore, it seems logical and represents good practice on the part of the DPC to complete the full investigative process before any discussion in relation to fines is broached.
What we are likely to witness in the future will be fines being assessed more quickly in the light of the degree of severity of the failure to comply with obligations under the GDPR. Data breach notifications are often the beginning of the fine process. GDPR was aiming at this from the outset. This is reflected in the framework of the Regulation. For example, Art. 83 sets out the appropriate maximum for fines, based on the nature of the infringement. It establishes a sort of hierarchy of infringements. The overriding factor is that the fines be ‘effective, proportionate and dissuasive’.
Art. 82.3 (a-k) lays out factors and conditions to be considered when making the assessment on the need for, or the appropriate amount of, a fine, if one is to be imposed. These are categorically delineated and leave few questions. Any fine can be imposed instead of, or in addition to, corrective measures referred to in points (a) to (h) and (j) of Art.58(2). Art.83 (5) lays down the upper limits of fines for infringement of certain provisions of the regulation. Any non compliance with an order of the DPC can also be subject to a maximum fine of €2million or in the case of an undertaking 4% of total worldwide turnover in the preceding year, whichever is greater.
In relation to the cases before the DPC currently, it is only proper and prudent to leave no stone unturned in any investigation, especially bearing in mind the substantial quantum of fines, for which undertakings in particular may be liable. Informed sources have said the Data Protection Commission is in the final stages of its investigation into WhatsApp over possible breaches of EU data privacy rules, with a draft decision expected to be circulated to other authorities to consider within weeks. “This is the first of the commission’s many investigations to approach its end point with delays blamed on complications that arise from pursuing companies that operate cross-border.”( Charlie Taylor, Irish Times, 20 Jan. 2020, ‘Ireland ranked second in Europe for data breach notifications’)
It seems to GDPRXpert that the DPC is in a kind of ‘no win’ situation. Had the DPC left the ‘big fish’ until later and gone after the ‘smaller fish’, (smaller companies and SMEs) criticism would have been relentless from vested interests. A popular view would have held the DPC lacked the will to challenge Google, Facebook, Apple etc. Yet the DPC was not going on fishing expeditions with the investigations that commenced. There were valid reasons, many stemming from data breach notifications.
Nevertheless, there is a view that holds that the DPC should have had a mixture of investigations in the early days of the GDPR. This would have sent out the message that GDPR compliance is expected from all, not just the ‘big boys’. There is validity to that view, with strong anecdotal evidence suggesting smaller businesses, in particular, have not been giving the GDPR the attention it demands. Many feel the DPC is busy elsewhere. That may be true for now. What may be lost in all of this is that, if a business comes to the attention of the DPC through a data breach, that business will be expected to show what exactly they have done since May 2018! There will be no excuses for a failure to be in compliance so long past the introduction of the GDPR.
Patrick Rowland, GDPRXpert.ie
We are GDPR and Data Protection consultants with bases in Carlow/Kilkenny and Mayo, offering a nationwide service.
For more details visit www.gdprxpert.ie