UPDATE JUNE 2020: We published a new version of this article. Read: 2 Years GDPR: An Overview of Enforcement, Warnings and Fines
About a year ago, on 25 May 2018, the General Data Protection Regulation (GDPR) became applicable after a two-year transitional period. During this transitional period, organizations were given the time to prepare for the new rules on the processing of personal data.
However, this two-year transitional period appeared to be insufficient for some organizations to bring their personal data processing operations in line with the GDPR. Therefore, the question arose as to whether and how the supervisory authorities - which can impose fines - would take action against these organizations. Today, one year later, we draw up a balance sheet of the enforcement actions taken by the supervisory authorities across the EU.
The Belgian supervisory authority - the Data Protection Authority (DPA) - reported an exponential increase in the number of cases reported in 2018. There were almost double the amount of information requests and data breach notifications increased from 13 during the full year of 2017 to 317 since May 2018, perhaps because previously only the telecom sector was subject to the obligation to report, while now it has been extended to all sectors. In order to meet the requests for information, the Belgian DPA gradually updates its website and publishes recommendations or opinions, such as an overview of the terms 'controller' and 'processor'.
The Belgian supervisory authority is not the only authority that has noticed an increase in the number of cases, including reports of data breaches, since the beginning of the GDPR. For example, the UK supervisory authority noted an increase of 160% in the number of notifications and the French authority saw the number doubled.
At the level of the European Data Protection Board (EDPB) - the successor to the Article 29 Working Party - the period after the entry into force of the GDPR was also closely monitored. The EDPB announced in October 2018 that the first five months had been busy for the authorities. There were 162 cross-border cases in progress at that time and a total of some 80,000 data breaches were reported. In addition, 15 one-stop shop procedures and 233 procedures on mutual assistance between supervisory authorities would be ongoing.
One year after the GDPR came into force, these figures have only increased. The Chairman of the EDPB sums up the first year of GDPR as follows:
It has been a challenging first year, but we have reached the goals that we set out to achieve, and we intend to keep up both the work and the pace. Earlier this year, the EDPB adopted its work program for 2019 and 2020. We will also see several cross-border cases carried out by SAs leading to a final outcome in the coming months. Last but not least, we want to continue to listen to and to work together with the people who can give us the best insights into the day-to-day practice of data processing. An ambitious programme, but I am certain that we, as European data protection authorities will find more and more synergies, which will increase our effectiveness.
Some supervisory authorities, such as the Dutch one, initiated exploratory investigations after the GDPR came into force. In the summer of 2018, the Dutch supervisory authority - the Data Protection Authority (DPA) - asked 30 random organizations to submit their register of processing activities. These were large private organizations from various sectors. They were given a few weeks to submit their register.
Later in 2018, the Dutch DPA published five concrete recommendations for maintaining the register. A striking recommendation is that the Dutch DPA advises organizations to indicate in the register at which location or in which file personal data are stored and to record this in the register. This information is, according to the Dutch DPA, relevant to a request for access or deletion, but is not mandatory information to be included under Article 30 of the GDPR. In addition, data controllers should also remember to include their contact details in the processing register as is required by the GDPR, but often forgotten about in practice.
Other exploratory studies in this series concerned the processor agreement at 30 organizations and the data breach register at 26 government organizations. This latest exploratory study showed that only 60% of the government organizations surveyed had a data breach register that met the requirements, after which the Dutch supervisory authority formulated ten practical tips. These include the clear description and classification of incidents, taking preventive and corrective measures, transparent communication with those affected and providing training to employees.
In addition to the exploratory investigation by the Dutch authority, the first enforcement actions were taken by other authorities in 2018.
Two companies (Faiella Nicola and Visirun) that used a geolocation system in commercial vehicles.
There was no immediate fine imposed by the Garante. The two companies had to take some measures, being the possibility for employees to turn the system off outside working hours, a sticker on the window, and restricting access to the geolocation system.
Canadian company AggregateIQ Data Services Ltd. (AIQ)
Again, no immediate fine was imposed. AIQ uses personal data it receives from its customers, mainly political parties, for targeted political advertising campaigns (in this case the Brexit). The ICO ruled that AIQ had to stop the processing activities because the parties involved were not informed and AIQ had no legal basis for this.
Two companies (Teemo and Fidzup)
The two companies relied on the invalid consent of the parties concerned for the personalization of advertising. Both companies were urged to comply with the legislation in force, including the GDPR, within three months.
Although there was already a first (cautious) enforcement by several supervisory authorities in 2018, the supervisory authorities seem to be accelerating in 2019. No example better to illustrate this than the fine for Google in France. The French supervisory authority - the Commission Nationale de l'Informatique et des Libertés (CNIL) - imposed a fine of € 50 million on Google for, among other things, a lack of transparency, insufficient information for the parties concerned and the lack of valid authorisation to personalise advertising.
The interesting thing about this case was that the one-stop shop mechanism was not applied by the CNIL. According to the CNIL, the Irish branch of Google - the European main establishment - did not have the power to decide on Google's cross-border processing activities at the time of the opening of the procedure. Each supervisory authority therefore remained competent, according to the CNIL. Moreover, it is not yet clear whether the one-stop-shop mechanism will affect the possibility of initiating proceedings before the courts. This is one of the preliminary questions in the Belgian DPA versus Facebook case that was recently referred to the Court of Justice.
With regard to the imposition of fines, the Dutch supervisory authority (the AP) amended its fining policy rules in March 2019 and brought them into line with the GDPR. It has relied on the guidelines adopted by the Article 29 Working Party, previously published in 2017.
For infringements of the GDPR - the Dutch DPA is also responsible for the enforcement of other privacy-related legislation - the Dutch DPA distinguishes four categories. Each category has a basic fine that can be adjusted upwards or downwards according to the circumstances. For example, an infringement of Article 30 of the GDPR (on the processing register) is sanctioned with a fine of the second category to which a basic fine of € 310,000 applies. For this category, the basic fine can then, depending on the circumstances, be reduced to € 120,000 or increased to € 500,000.
In addition to our Southern neighbouring country and Northern neighbouring country, the Belgian DPA and other supervisory authorities have not been idle. Although it appeared that some authorities had issued a warning in the past, they sometimes imposed an administrative fine as well. Below is an overview of various fines imposed by them in 2018 and 2019, ranked according to the amount of the fine.
For violating the principle of finality. The mayor answered an e-mail sent to him to record an appointment with election propaganda.
A local publisher
For publishing the name and photo of police officers, even though it was not proportional under these circumstances.
A local hospital
For losing a patient file.
An Austrian sports betting café
For security camera (CCTV) violations. These cameras would be focused on the public domain, such as the street and parking, and the images would be kept for too long (more than 72 hours without justification). This is an infringement of the principle of storage restrictions.
A German social network (knuddels.de)
For failure to take appropriate technical and organizational measures. In this case, passwords were kept in full text (it was recently found that Facebook also did this, which is now being examined by the Irish authorities).
A Payment Initiation Service Provider
For collecting more data than necessary and to keep it longer than necessary (216 days instead of 10 minutes) and for not reporting a data breach. Moreover, such payment initiation services are new since the Directive (EU) 2015/2366 on payment services (PSD2).
€ 160,000 (converted)
A Danish taxi company (Taxa 4x35)
For keeping track of personal data for longer than necessary more specifically because the telephone number was an essential part of the taxi company's system.
€ 220,000 (converted)
An international data analytics company (Bisnode)
For a breach of the duty to provide information. The company in question had to inform 6 million people within three months.
A Spanish football league (La Liga Santander)
For not sufficiently informing about switching on the microphone and geolocation via the La Liga app in order to be able to locate illegal broadcasts of football matches.
A local hospital (Centro Hospitalar Barreiro Montijo)
For failure to take appropriate technical and organizational measures. The hospital is said to have given nine social workers access to certain medical data and access rights to these data were also granted carelessly. While there were 296 doctors working in the hospital, four times as many employees had the same access rights as them.
An American transport app (Uber)
For not reporting a data breach within 72 hours. Although it was a data breach in 2016, the Dutch DPA relied on national legislation and the GDPR to impose this fine.
Penalty payment (max. € 900,000)
A Dutch sickness absence portal for employers
To take more measures to secure access to the sick leave portal for employers, at least by applying multifactor authentication.
Although most supervisory authorities have been relatively lenient in 2018, some authorities, including the Belgian DPA, indicated that they will be stricter in 2019. In April 2019, the new members of the Belgian DPA took their oath before the House of Representatives. At the same time, the new president of the Belgian DPA announced that the Belgian DPA will step up its efforts to ensure compliance with the GDPR and that fines may also be included. After all, the transitional period has now come to an end. The announcement of the new president was recently reinforced by the imposition of the first GDPR fine in Belgium.
The chairman of the Dutch DPA also stated that in 2018 the Authority's main focus was on ending possible violations by focusing on remedial action by organizations themselves, but that in 2019 complaints will more often lead to an investigation and possible sanctions.
The likely increase in fines is also reflected in the statements made by the Irish Data Protection Commission (DPC) in the US Senate. At an oral hearing, the Irish authority indicated that 51 large-scale investigations were currently on the way. Of these 51 studies, 17 would focus on technology giants such as Apple, WhatsApp, Instagram and Facebook. The DPC already started an investigation into the latter. Facebook was also asked several times for an explanation about data breaches, but a fine was not yet possible.
Finally, the question arises as to whether these fines are insurable, since in the event of serious or repeated violations of the GDPR, the fine can amount to a maximum of 20 million euros or 4% of the annual worldwide turnover.
A fine for an infringement of the GDPR imposed by a supervisory authority is an administrative fine and can in principle be insured in Belgium. Then there are two questions, namely:
By no means does every insurance policy just cover administrative fines, but there are cyber policies in the insurance market that do cover such administrative GDPR fines. Unfortunately, however, in most cases the insurance policy coverage will not be high enough to fully cover any maximum fine under the GDPR.
In addition to a fine, damage may also have been caused to the parties involved (e.g. by a data breach). In these cases, the traditional liability insurance could be used. In addition to damage to those involved, there may also be damage to their own IT systems, for example as a result of hacking. If necessary, the cyber policy for own damage can be held liable for this damage.
Do you want to know more about the future of GDPR enforcement and fines? Contact a lawyer of Timelex.