While we’ve learned about how General Data Protection Regulation (GDPR) works in practical terms, there are still key issues being debated.
Nearly four years after coming into effect, we’ve gained valuable insight into how the European Union’s GDPR is being enforced. Since 2018, over 900 GDPR-related fines have been issued across the European Economic Area and UK. (1) Those fines, appeals and resulting case law provides valuable insight into how the GDPR is being enforced and gives us a glimpse into what issues need to be resolved in the future.
2021 was a banner year for GDPR fines. Between 2020 and 2021, the fines imposed skyrocketed from €158.5 million ($179 million) to €1.087 billion ($1.23 billion). (2) Nearly one billion Euros worth of fines were issued in Q3 of 2021, about twenty times more than Q1 and Q2’s combined totals. (1) These fines were dominated by data-driven companies, including one in Luxemburg for €746 million ($877 million), which is nearly 15 times greater than the previous fine, and is currently being appealed.
In 2021, Luxembourg and Ireland were notable for issuing a small number of high-value and high-profile fines, while other countries, including Italy and Spain, were issuing a higher number of low-value fines. (2) While we still do not know which approach is better at driving compliance, we do have insight into why these differences exist.
GDPR law works with a “one-stop-shop” mechanism, making multi-national companies accountable to the data protection agency in the location of their European headquarters. All complaints are funnelled through that country, though any nation affected by the complaint has a right to comment. For example, if a multination company headquartered in France suffers a data breach in Spain, the complaint will most likely be moved to France. Because of their corporate-friendly tax policies, both Luxembourg and Ireland are popular corporate headquarters for major multi-national companies. As we saw in 2021, these larger companies dealing with greater volumes of data are more likely to incur heavier fines.
While Poland isn’t notable for the volume or value of fines issued – just over €2 million since 2018 – it is notable for its recent focus on GDPR’s information security requirements and the responsibilities of data collectors and processors. In 2021, rulings have emphasized the importance of regular testing, measurement and evaluation of information security measures. (2) In October, a court handed down a ruling that could impact businesses worrying about a breach occurring by their data processor.
The court overruled the Polish Data Protection Authority’s decision to impose a fine due to the actions of their data processor. A financial technology company incurred the fine because their client database was illegally downloaded through their data processor.
The ruling stated that while the controller was responsible for compliance with GDPR, it was not responsible for a personal data breach due to the processor’s actions. Future cases will determine if this ruling has precedent outside of Poland, but it does call into question the previous assumption that data controllers are liable for their data processor’s actions or negligence. (2)
Right now, businesses are closely monitoring negotiations between the EU and US regarding the way multinational companies handle the transfer, storage and processing of data from European users to US servers. These data transfers were governed by the US-EU Privacy Shield until July 2020, when it was invalidated by the European Court of Justice. The reason? They cited fears that US surveillance laws do not have sufficient policies and procedures in place to protect the privacy and data protection of people living outside of the US. As data controllers, multinational companies transferring data are in limbo and face uncertainty and risk under GDPR until a new policy is enacted.
Ensuring data protection is clearly a work in progress for businesses, government agencies and the courts. According to a spokesperson at the independent European Data Protection Board, GDPR is a “long-term project”. (3) It is a project that has a deep impact on businesses, the economy and our personal lives.
2 DLA Piper GDPR fines and data breach survey: January 2022. Report by DLA Piper, Cybersecurity and Data Protection Team.