By no means all of the regulatory action under GDPR has been accomplished through fines on organizations. It is expected that the EU legal consensus regarding privacy will strongly influence their behavior. Since GDPR’s introduction, most regulators have taken a consultative stance, giving advice and looking for incremental improvements in behavior. That is beginning to change. Telecoms firms should take note.
Just last month, the New York Times published an article concerning the disappointment of privacy and data protection activists with European regulators. A key statistic offered was that fewer than 300 organizations had been fined, which to many seems an absurdly low number. There are plenty of examples of poor compliance with GDPR, including by US firms. At the end of January 2020, DLA Piper’s website reported, “Over 160,000 data breach notifications have been reported across the 28 European Union Member States plus Norway, Iceland and Liechtenstein since the GDPR came into force on 25 May 2018.” And a data breach is just one possible kind of GDPR infringement.
Not all GDPR fines are public information in all countries. Despite the inherent motivational power of “naming and shaming” organizations, regulators in Europe have suppressed details – even the names of those being fined - with some frequency.
One of the better sources of information about GDPR enforcement can be found at enforcementtracker.com, provided by CMS Law.tax As this website says, the data it provides is incomplete. It also includes fines announced but not finalized. Even with these shortcomings, it is an interesting place to look for trends.
Using this data, we can see an increase in enforcement of GDPR from 2018 through its first two years. This is hardly surprising.
In 2018 the GDPR was a dramatic change in most of Europe, a complicated new law often poorly understood.
Even well-meaning organizations needed a certain amount of digital transformation -- including staffing, procedural changes, and changes to software -- before they could comply. Most had been reluctant to invest in anticipation of the law, because it had been a moving target. Plus, as the NYT article stresses, regulators remain severely understaffed and must rely on voluntary compliance. Regulators have had little choice about being patient. There simply isn’t capacity in the regulatory offices of any country to build cases and fine everyone who transgresses. Building cases takes time and naturally creates a lag.
On the other hand, as of May 25, it has been two full years. So what do the enforcementtracker.com numbers show?
- Ireland has not been aggressive so far
Based on data through mid-May, Ireland stands out as a country with a published record of levying only one fine. That fine was on May 17, just in time to avoid a “zero” for the first two years. Several very deep-pocketed U.S. firms have their E.U. headquarters in Ireland, including Facebook, Google, and Amazon. This makes the Irish their principal GDPR regulator, a source of deep frustration to many. Other European countries have been eager to curb these companies’ behavior. The French have fined Google anyway, as have the Swedes, while the Germans have fined Facebook.
The privacy activist Max Schrems has recently published an open letter to national data protection authorities, the European Commission, the EU Parliament and the European Data Protection Board (EDPB). The letter says, “After two years, we feel that the time has come to shine light on the shortcomings of the GDPR’s current enforcement in Ireland and bring the debate into the public.”
- GDPR fines have generally been low
While the overall total of fines in the EU isn’t trivial, critics say they have not been big enough. About EUR 470MM in total fines have been counted in the CMS database so far. Of this, just 2 UK fines (both in the “intent to fine” stage, not final) represent two thirds of the total. Both, interestingly, are rooted in inadequate cyber security -- not in other privacy rights. By comparison, the single recent FTC fine against Facebook of USD 5 Billion makes the European total look underwhelming. (Predictably, critics say that this FTC fine was itself too small.) That the U.S. is one of only a few major countries with no national privacy law is ironic, if “total fines” is your measure of the seriousness of regulatory intent. Although they dominate the totals, multi-million-Euro fines have been fairly rare under GDPR. Bigger fines are the ones making headlines, like the UK fines against British Airways and Marriott, mentioned above. While the law permits fines of up to 4% of worldwide turnover over 80% of fines have been less than EUR 100,000. The median fine in 2019 was just EUR 12,000 according to the CMS database.
Spain in 2020
Notably, there’s been a flurry of recent activity in Spain this year: 35 fines levied in just the first quarter, more than the total number for 2019.
This activity in Spain brings our attention to the most-fined industry, which is telecoms. About half the fines in Spain so far this year were against telecoms firms. Reportedly, some of these fines in amounts like EUR 40,000 and EUR 50,000 are for violations involving a single customer. Imagine those fines extrapolated to a larger fraction of customers, or if Spain had a legal culture of class action lawsuits more like that of the United States! Meanwhile, Spain is not alone. Italy issued a EUR 27.8MM fine to a telecoms firm this year, and Romania has fined one of its telecoms firms twice. As a result, telecoms received almost one in three fines so far this year and a large fraction of the 2020 year-to-date total in Euros.
Are regulators in the EU sending a message that it is past time to get serious about data protection? It would seem so, and telecoms are in the cross-hairs.