Business

Policy

Year 1 of GDPR: Over 200,000 cases reported, firms fined €56 meeelli... Oh, that's mostly Google

2019 just a transition year, says French watchdog

Got Tips? 27
SHARE

European data protection agencies have issued fines totalling €56m for GDPR breaches since it was enforced last May, from more than 200,000 reported cases – but watchdogs have said they're just warming up.

An assessment from the European Data Protection Board (EDPB), which is made up of regulators across the region, found that, in the first nine months, there were 206,326 cases reported under the new law from the supervisory authorities in the 31 countries in the European Economic Area.

Vivienne Artz, chief privacy officer of market data purveyor Refinitiv, cited the report (PDF), published at the end of February, at a panel event assessing the first year of GDPR at a data protection conference in London this week run by the International Association of Privacy Professionals.

About 65,000 were initiated on the basis of a data breach report by a data controller, while about 95,000 were complaints. Some 52 per cent of the overall cases have already been closed, with 1 per cent facing a challenge in national courts.

Artz said that the total fines came to €55.96m – which she observed seemed like a lot before you realise that almost all of it comes from French data watchdog CNIL's €50m fine for Google.

Indeed, the figure emphasises the size of CNIL's fine – which was the first it had handed out under GDPR – and the body's director of the rights protection and sanctions directorate, Mathias Moulin, was on the panel to set out its reasoning.

He said the breach was "massive and highly intrusive", and that the fine had been based on five factors. These included the type of violation, its scale – it was continuous, rather than a one-off, and affected lots of people and massive amounts of data – and the size of the company.

But given the huge range of potential fines – which has risen from "up to £500,000" (in the UK) to "up to" €20m or 4 per cent of annual turnover – the EDPB has also tasked data protection agencies with "harmonising" their approaches.

At the event, Stephen Eckersley from the UK Information Commissioner's Office revealed that his organisation was working with the data protection agencies in the Netherlands and Norway to establish a "matrix" for calculating fines. This won't be public-facing, he said, but will instead be a "toolkit" for watchdogs.

As for the ICO's enforcement actions, he said that there were some GDPR cases in progress, but that the past year had been mostly focused on legacy investigations, with fines handed to Uber, Facebook and Equifax.

Even CNIL's Moulin, said that last year "should be considered a transition year" for GDPR, as national regulators had to focus on finalising their rules and approaches, and spent most of their time tying up probes under the previous regime.

One thing that did change immediately under GDPR, if not the fines, was the number of incident reports. This was particularly so for companies turning themselves in over data breaches.

Eckersley said there was a "massive increase" in reports of data breaches in the first month at 1,700. This has levelled out a little, but there are still about 400 coming in a month. Overall, he expects the total to reach about 36,000 this year – up from 18,000 to 20,000 previously.

In order to deal with the increased demand – and organisations' propensity to report "just in case" – the ICO has set up a dedicated team for personal data breaches, so data controllers have a single point of contact to help them assess whether to make a formal notification.

The panel also noted that, while data breaches are more likely to hit the headlines, there are many more complaints coming in about other aspects of privacy regulations. For instance, Eckersley said that about half of the complaints relate to the way subject access requests have been handled. ®

Sign up to our NewsletterGet IT in your inbox daily

27 Comments

Keep Reading

ProtonMail-run website boasting 'complete guide' to GDPR left credential-baring .git repo exposed online

Ooo, double irony!

Vint Cerf suggests GDPR could hurt coronavirus vaccine development

Essay on role of internet during plague times also suggests online schooling may not be the finished article

IBM Watson GPU cloud cluster Brexits from London to Frankfurt – because GDPR

Users have migration work to do in the next month. Good thing nobody's busy right now, eh?

Wanna force granny to take down that family photo from the internet? No problem. Europe's GDPR to the rescue

Grandchild Digital Picture Removal

EU've been naughty: GDPR has netted bloc €114m in fines since 2018

France, Germany and Austria house the most offenders – survey

Google to appeal against €7m fine from Swedish watchdog for failing to remove search results under GDPR

Right to be forgotten? We forgot...

Stop tracking me, Google: Austrian citizen files GDPR legal complaint over Android Advertising ID

Claims consent was neither informed, nor specific, nor free – but Google says it cannot identify a user from the ID

Browser minnow Brave nips at Google with GDPR complaint

Claims 'don't stand up to serious scrutiny' retorts Google

GDPR...rrrse! Mass-mail fail as German biz asks UK resellers for consent to use their dealer data

What's the worst subject line for an email CC'd to world+dog?

Tech and mobile companies want to monetise your data ... but are scared of GDPR

Are you guys also feeling a bit teary and sad for those poor, poor businesses?

Tech Resources

How to Fortify Your Organization’s Last Layer of Security – Your Employees

People impact security outcomes, much more often than any technology, policy or process.

Leveraging Your Security Partners

Rapid7 discuss how they are ensuring business continuity for their customers.

2020 SANS Network Visibility and Threat Detection Survey

Read the report to learn how to do more with the network data you already have and what to look for in a network visibility tool.

Busting the myths around cloud data protection

How flexible and resilient is your data center backup and disaster recovery solution? Can you protect and manage your workloads, while ensuring security and compliance? SaaS data protection, done right, can offer reliability, flexibility, and cost savings. Join our Regcast to bust outdated myths about how to protect your data in the cloud.