Welcome to WebmasterWorld Guest from

Forum Moderators: webwork

Nation by Nation GDPR Enforcement Data

3:58 pm on Jun 13, 2019 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator webwork is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 2, 2003
votes: 101

A year on, with the first wave of decisions and fines now issued by a number of DPAs and investigations ongoing in others, it is interesting to examine the initial effects of the GDPR in the EU. Has it managed to enhance protection for people’s privacy? Did the concern expressed at its potential impact turn out to be justified? Are different trends emerging in different EU countries? These and other questions are discussed below, on a country-by-country level.

[theword.iuslaboris.com ]

Nicely summarized by Nieman Lab (Creative Commons Attribution-Noncommercial-ShareAlike 3.0 United States License) [niemanlab.org ]

Ius Laboris has country reports from 25 of the 28 EU states (sorry, Estonia, Malta, and Romania) and the summaries are worth reading if you’re into this sort of thing — but here are a few of the highlights.

Quite a few countries have issued exactly zero GDPR fines, including Belgium, Croatia, the Czech Republic, Denmark, Finland, Ireland, Italy, Luxembourg, Slovakia, Slovenia, Spain, Sweden, and the U.K.
In some cases, that’s an issue of delay: Each country has to embed the GDPR into its own national laws, and some have been slower than others in doing so — as well as the obligatory follow-up actions of appointing the people who’ll make the decisions and so on. But others appear to have just taken a lighter approach to enforcement, preferring sending legal nastygrams to companies that appear to be on the wrong side of the law.

(And in a few cases it’s theoretically possible that Ius Laboris missed a fine, such as in Germany, where they’re handled by individual state authorities rather than a federal entity.)

The countries that have imposed GDPR fines have generally done so at a very limited scale. Austria has issued only three fines, all around illegal video surveillance. Cyprus and Portugal have each issued four, Poland two, and the Netherlands one. Latvia’s largest fine was 2,000 euros, Bulgaria’s 5,000 euros.
Some examples of fines issued: Greece fined phone companies 150,000 euros for “making unsolicited calls” and oil companies 30,000 euros for “unlawful processing and failure to comply with the required organizational and technical measures.”
Lithuania fined “the electronic money institution MisterTango” 61,500 euros for, among other things, failure to disclose a data security incident.

The Netherlands had only one fine, but it was a biggie: 600,000 euros for Uber, also for not reporting a security breach. (Uber has also faced a 400,000 fine from France and a negative ruling from authorities in Greece.)

One of Poland’s two fines went to “a sports association for failing to delete judges’ data effectively.” One of Portugal’s four was 400,000 euros for a hospital that gave staff “indiscriminate access…to patients’ data.”

While Denmark hasn’t issued any fines yet, its first is currently in the pipeline, for a taxi company found to be storing 9 million riders’ phone numbers.

Hungary has issued a number of fines of about HUF 1 million (around 3,000 euros), including to a credit management company that didn’t delete a user’s phone number after being asked and to a company that deleted camera recordings a person had wanted to use as evidence in a legal proceeding.

A few countries have issued GDPR-like fines but not technically under the GDPR; instead, they’re being justified under similar but previously on-the-books laws as GDPR implementation continues apace. Spain, for instance, fined Facebook 600,000 euros for sharing data from WhatsApp to the mothership “without valid consent” and “using it for a purpose for which consent was not given.” (That case began before GDPR was officially on the books.) The U.K. also fined Facebook, this time 500,000 pounds, under its Data Protection Act 1998.
But as is often the case in the EU, it appears to be France and Germany that have done the heaviest lifting.
Germany has issued 75 fines under the GDPR, though they total only 449,000 euros between them. (The largest was 80,000 euros.) Also fun: The German law implementing GDPR is known as the Bundesdatenschutzgesetz.

Meanwhile, Paris has levied by far the largest fine under the GDPR: 50 million euros on Google for a panoply of different data privacy issues around targeted advertising. That fine alone makes up nearly 90 percent of all fines issued in GDPR’s first year, which add up to about 56 million euros.

France has also had a number of other large fines: 250,000 euros for Bouygues Telecom, 400,000 euros for Uber, 50,000 euros for Dailymotion, and 250,000 euros for something called Optical Center, “all relating to a lack of technical measures securing client data.”
2:29 am on June 14, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
votes: 1014

Some regulations just take a little time to get off the ground once implemented. Not all players will be ready to immediately enforce---as a new internal bureaucracy has to be created to handle the new law(s).

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members