GDPR Enforcement: A Cause for Concern?
Over two years on from implementation in 2018, GDPR continues to hit the headlines. Within the past weeks, there have been questions around video app TikTok’s compliance with the Regulation, and news over the summer that Google has lost its appeal against the £44m fine imposed by France’s supervisory authority for violations of the GDPR.
At this juncture, analysis of enforcement action taken across the EU is ramping up, with several supervisory authorities criticised for lengthy investigations or apparently low sanctions rates. Internet rights group Access Now published a report in May 2020 highlighting what it called “weak” enforcement of the Regulation across the EU, finding at that point that there had only been 231 fines and sanctions issued over the two years across the EU. They compare the relatively low number of actions with the 144,376 complaints made in the first year alone.
However, there are signs that regulators across Europe are continuing to enforce the GDPR, despite Covid-19 presenting challenges for firms. July saw £18,395,932 worth of fines imposed by supervisory authorities, and the first days of September 2020 alone has seen £82,556 imposed.
The largest fine levied over the summer, of over £15m, was issued to an Italian telecoms firm that garnered complaints from consumers about unsolicited marketing contact and the inability of customers to withdraw their consent or object to the processing of their data, in part because the firm’s privacy notice did not contain the correct details. An app which the firm used had been set up in such a way as to require the user to provide a series of consents for different data processing purposes, which could then only be revoked after 24 hours, leading to breaches of the rights of the data subjects, as well as of Article 25 – data protection by design and default.
Fines across Europe vary significantly in value, with 55% of all fines given out in August and September totalling £5000 or less. These smaller fines are imposed for relatively minor infringements, including the display of one individual’s personal data within a shop, not informing a data subject within one month about the outcome of their request for data deletion, and publishing information about website cookies that contained insufficient or inaccurate information about how the cookies would affect individuals’ computer equipment.
The UK’s supervisory authority, the ICO, has come under fire for a surprising lack of enforcement action over the previous two years. However, cases which are likely to result in a large fine or sanction will be complex, and these can often take the ICO years to resolve. The ICO are still dealing with some complaints made under the Data Protection Act 1998, so the relatively small number of actions can’t yet be taken as an indicator of how the GDPR will be enforced in the UK.
The Access Now report does, however, highlight that the ICO has imposed the largest total amount of fines under the GDPR at £282.59m; £183.39 against British Airways and £99.2m against Marriott International – although the final decision for Marriott’s fine is scheduled to take place at the end of September.
While it has taken the supervisory authorities some time to investigate breaches of the GDPR and then to issue final decisions, there is evidence that the rate of enforcement is increasing – since the Access Now report was published in May, 99 fines have been imposed across the EU – almost half of the total sanctions imposed between May 2018 and May 2020.
And with Brexit imminent, the UK will be keen to gain an adequacy decision which would allow it to continue to transfer data to the EU. This notoriously difficult steppingstone is likely only to be given if the EU is satisfied that the ICO is effective in its oversight of data protection.
The range of breaches that supervisory authorities are investigating demonstrates the importance of ensuring that the practical impact of GDPR is fully understood by staff throughout the firm – from front line to those who design products and services, the website and apps.
GDPR training shouldn’t be viewed simply as a tick-box step – it should be appropriate for the learner, interesting and easily accessible. Ideally, the learner should be able to return to the training to revise and review their learning. Some staff will need a good background in the whys and wherefores of GDPR – especially in the case of those with more seniority – and front line staff will need some easy to understand background to support learning the practical steps they’ll need to apply to customers in a variety of different circumstances. It’s equally important that staff are reminded of the obligation to speak up if they notice a potential problem or breach.
Our online data protection courses are able to be completed at the learner’s convenience. We have three courses covering data protection. Our Data Protection and Information Security course delivers the background to applicable legislation and how to avoid security breaches. Our Understanding Data Protection Regulation courses have two options – one for front-line staff, and one for senior staff.