Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: webwork
A year on, with the first wave of decisions and fines now issued by a number of DPAs and investigations ongoing in others, it is interesting to examine the initial effects of the GDPR in the EU. Has it managed to enhance protection for people’s privacy? Did the concern expressed at its potential impact turn out to be justified? Are different trends emerging in different EU countries? These and other questions are discussed below, on a country-by-country level.
Ius Laboris has country reports from 25 of the 28 EU states (sorry, Estonia, Malta, and Romania) and the summaries are worth reading if you’re into this sort of thing — but here are a few of the highlights.
Quite a few countries have issued exactly zero GDPR fines, including Belgium, Croatia, the Czech Republic, Denmark, Finland, Ireland, Italy, Luxembourg, Slovakia, Slovenia, Spain, Sweden, and the U.K.
In some cases, that’s an issue of delay: Each country has to embed the GDPR into its own national laws, and some have been slower than others in doing so — as well as the obligatory follow-up actions of appointing the people who’ll make the decisions and so on. But others appear to have just taken a lighter approach to enforcement, preferring sending legal nastygrams to companies that appear to be on the wrong side of the law.
(And in a few cases it’s theoretically possible that Ius Laboris missed a fine, such as in Germany, where they’re handled by individual state authorities rather than a federal entity.)
The countries that have imposed GDPR fines have generally done so at a very limited scale. Austria has issued only three fines, all around illegal video surveillance. Cyprus and Portugal have each issued four, Poland two, and the Netherlands one. Latvia’s largest fine was 2,000 euros, Bulgaria’s 5,000 euros.
Some examples of fines issued: Greece fined phone companies 150,000 euros for “making unsolicited calls” and oil companies 30,000 euros for “unlawful processing and failure to comply with the required organizational and technical measures.”
Lithuania fined “the electronic money institution MisterTango” 61,500 euros for, among other things, failure to disclose a data security incident.
The Netherlands had only one fine, but it was a biggie: 600,000 euros for Uber, also for not reporting a security breach. (Uber has also faced a 400,000 fine from France and a negative ruling from authorities in Greece.)
One of Poland’s two fines went to “a sports association for failing to delete judges’ data effectively.” One of Portugal’s four was 400,000 euros for a hospital that gave staff “indiscriminate access…to patients’ data.”
While Denmark hasn’t issued any fines yet, its first is currently in the pipeline, for a taxi company found to be storing 9 million riders’ phone numbers.
Hungary has issued a number of fines of about HUF 1 million (around 3,000 euros), including to a credit management company that didn’t delete a user’s phone number after being asked and to a company that deleted camera recordings a person had wanted to use as evidence in a legal proceeding.
A few countries have issued GDPR-like fines but not technically under the GDPR; instead, they’re being justified under similar but previously on-the-books laws as GDPR implementation continues apace. Spain, for instance, fined Facebook 600,000 euros for sharing data from WhatsApp to the mothership “without valid consent” and “using it for a purpose for which consent was not given.” (That case began before GDPR was officially on the books.) The U.K. also fined Facebook, this time 500,000 pounds, under its Data Protection Act 1998.
But as is often the case in the EU, it appears to be France and Germany that have done the heaviest lifting.
Germany has issued 75 fines under the GDPR, though they total only 449,000 euros between them. (The largest was 80,000 euros.) Also fun: The German law implementing GDPR is known as the Bundesdatenschutzgesetz.
Meanwhile, Paris has levied by far the largest fine under the GDPR: 50 million euros on Google for a panoply of different data privacy issues around targeted advertising. That fine alone makes up nearly 90 percent of all fines issued in GDPR’s first year, which add up to about 56 million euros.
France has also had a number of other large fines: 250,000 euros for Bouygues Telecom, 400,000 euros for Uber, 50,000 euros for Dailymotion, and 250,000 euros for something called Optical Center, “all relating to a lack of technical measures securing client data.”