Business

Policy

Year 1 of GDPR: Over 200,000 cases reported, firms fined €56 meeelli... Oh, that's mostly Google

2019 just a transition year, says French watchdog

27 Got Tips?

European data protection agencies have issued fines totalling €56m for GDPR breaches since it was enforced last May, from more than 200,000 reported cases – but watchdogs have said they're just warming up.

An assessment from the European Data Protection Board (EDPB), which is made up of regulators across the region, found that, in the first nine months, there were 206,326 cases reported under the new law from the supervisory authorities in the 31 countries in the European Economic Area.

Vivienne Artz, chief privacy officer of market data purveyor Refinitiv, cited the report (PDF), published at the end of February, at a panel event assessing the first year of GDPR at a data protection conference in London this week run by the International Association of Privacy Professionals.

About 65,000 were initiated on the basis of a data breach report by a data controller, while about 95,000 were complaints. Some 52 per cent of the overall cases have already been closed, with 1 per cent facing a challenge in national courts.

Artz said that the total fines came to €55.96m – which she observed seemed like a lot before you realise that almost all of it comes from French data watchdog CNIL's €50m fine for Google.

Indeed, the figure emphasises the size of CNIL's fine – which was the first it had handed out under GDPR – and the body's director of the rights protection and sanctions directorate, Mathias Moulin, was on the panel to set out its reasoning.

He said the breach was "massive and highly intrusive", and that the fine had been based on five factors. These included the type of violation, its scale – it was continuous, rather than a one-off, and affected lots of people and massive amounts of data – and the size of the company.

But given the huge range of potential fines – which has risen from "up to £500,000" (in the UK) to "up to" €20m or 4 per cent of annual turnover – the EDPB has also tasked data protection agencies with "harmonising" their approaches.

At the event, Stephen Eckersley from the UK Information Commissioner's Office revealed that his organisation was working with the data protection agencies in the Netherlands and Norway to establish a "matrix" for calculating fines. This won't be public-facing, he said, but will instead be a "toolkit" for watchdogs.

As for the ICO's enforcement actions, he said that there were some GDPR cases in progress, but that the past year had been mostly focused on legacy investigations, with fines handed to Uber, Facebook and Equifax.

Even CNIL's Moulin, said that last year "should be considered a transition year" for GDPR, as national regulators had to focus on finalising their rules and approaches, and spent most of their time tying up probes under the previous regime.

One thing that did change immediately under GDPR, if not the fines, was the number of incident reports. This was particularly so for companies turning themselves in over data breaches.

Eckersley said there was a "massive increase" in reports of data breaches in the first month at 1,700. This has levelled out a little, but there are still about 400 coming in a month. Overall, he expects the total to reach about 36,000 this year – up from 18,000 to 20,000 previously.

In order to deal with the increased demand – and organisations' propensity to report "just in case" – the ICO has set up a dedicated team for personal data breaches, so data controllers have a single point of contact to help them assess whether to make a formal notification.

The panel also noted that, while data breaches are more likely to hit the headlines, there are many more complaints coming in about other aspects of privacy regulations. For instance, Eckersley said that about half of the complaints relate to the way subject access requests have been handled. ®

Sign up to our NewsletterGet IT in your inbox daily

27 Comments

Keep Reading

ProtonMail-run website boasting 'complete guide' to GDPR left credential-baring .git repo exposed online

Ooo, double irony!

Vint Cerf suggests GDPR could hurt coronavirus vaccine development

Essay on role of internet during plague times also suggests online schooling may not be the finished article

IBM Watson GPU cloud cluster Brexits from London to Frankfurt – because GDPR

Users have migration work to do in the next month. Good thing nobody's busy right now, eh?

Wanna force granny to take down that family photo from the internet? No problem. Europe's GDPR to the rescue

Grandchild Digital Picture Removal

EU've been naughty: GDPR has netted bloc €114m in fines since 2018

France, Germany and Austria house the most offenders – survey

Google to appeal against €7m fine from Swedish watchdog for failing to remove search results under GDPR

Right to be forgotten? We forgot...

Legal complaint lodged with UK data watchdog over claims coronavirus Test and Trace programme flouts GDPR

'Government is moving too fast, and breaking things as a result'

Stop tracking me, Google: Austrian citizen files GDPR legal complaint over Android Advertising ID

Claims consent was neither informed, nor specific, nor free – but Google says it cannot identify a user from the ID

Browser minnow Brave nips at Google with GDPR complaint

Claims 'don't stand up to serious scrutiny' retorts Google

GDPR...rrrse! Mass-mail fail as German biz asks UK resellers for consent to use their dealer data

What's the worst subject line for an email CC'd to world+dog?

Tech Resources

SANS 2019 Threat Hunting Survey

Threat hunting is a proactive approach to identifying signs of an attack, as opposed to the reactive approach security operations centre analysts follow.

Latency is the New Outage

More organizations are tying their future success to digital and online business.

Endpoint Detection and Response

EDR solutions come in a variety of implementations and can vary significantly in scope and efficacy. Choosing the best solution can be challenging.

SANS Report: Factoring Enterprise IoT into Detection and Response

In this report, learn about the growth of IoT devices inside corporate networks