- About Us
It’s been almost 2 years since the GDPR came into force. After the entry in May 2018, it took a while for the different European data protection authorities to really start enforcing the legislation. 2018 was considered the year of implementation. When 2019 opened with the consent-fine for Google, it seemed to become the year of enforcement. Has that actually been the case? Let’s look at the facts.
Across Europe, so far 189 fines have been issued. Although the GDPR emphasises consistency throughout the Union, all European countries have their own data protection authorities. So far, we see a big difference in the number of fines that have been imposed per country. The Spanish Data Protection Agency is front-runner, with a total of 43 penalties. Romania is second with 21 penalties and Germany comes third, with 18 fines issued.
Countries that have not issued any fines yet are Croatia, Estonia, Finland, Iceland, Liechtenstein, Luxembourg, Slovenia and Ireland. The Irish Data Protection Commission is worth mentioning, since they have the particularly tricky task to investigate the large-scale complaints against huge tech companies such as Facebook, Google, WhatsApp and Twitter.
The fines vary in amount and affect enterprises, small businesses and even private persons. The highest fine so far, I already mentioned it, is the French CNIL fining Google for 50 million euros, just over a year ago. This fine was a wake-up call for most organisations that privacy enforcement is not just about information security and data breaches. The Google fine was about invalid consent that was not sufficiently informed and neither “specific” nor “unambiguous”.
Even higher fines have been announced in the summer of 2019 by the UK Information Commissioner’s Office, but they have not yet been materialised. It concerns British Airways (over 200 million euros) and Marriott (over 110 million euros). The UK’s ICO has six months to convert a notice into a final penalty. Those six months were recently due to expire. However, it seems that all parties have agreed on an extension of the regulatory process until the 31st of March 2020. So, we have to wait and see if the ICO has really been able to prove its case or if the fines turn out significantly lower than intended.
A deeper dive in the type of violations shows that most companies still don’t have their data processing principles right. The majority (56%) of the violations evolves around the GDPR Articles 5 and 6, addressing lawfulness of processing, data minimisation and transparency.
In many cases there is no basis for data processing on the grounds of article 6.b-f. In those cases, organisations need to ask for consent for the use of personal data and specify the purposes. In the GDPR research that we conducted just after the GDPR came into force, consent was one of the major problems of European organisations. The practice shows that authorities have also noticed this and fine accordingly.
Many of the GDPR requirements around data minimisation and consent can be covered with a good Consumer Identity platform. If you want to do it well, keep these steps in mind:
Find all the useful information about GDPR fines in our free infographic.
If you want to do some additional exploration yourself, just check this great overview.
Feel free to repost this blog on your website or social channels! But when you do so, please be so kind as to mention the source and give us a notice via email@example.com.