GDPR enforcement so far: British Airways and Google take the headlines, but many are underwhelmed
26 September 2019
Will Chantry, UCL Laidlaw Scholar, and Oliver Patel, discuss the enforcement of GDPR so far.
The GDPR, the EU’s general data protection regulation, has been in place for 16 months. Whilst there have been some big changes, both in consumer attitudes towards privacy and company practices, our research suggests that enforcement has not been as robust and hard-hitting as many hoped for.
GDPR has given European regulators the power to fine companies €20m or 4% of annual global turnover, meaning that rigorously complying with data protection laws has become a must for businesses. For perspective, Facebook was only fined £500,000 by the UK’s Information Commissioner’s Office (ICO) for the data breach involving Cambridge Analytica. This was the maximum fine prior to GDPR, and is extremely modest compared to the current system. (Facebook’s global annual turnover was $55.8bn in 2018, meaning the social network giant could, in theory, be fined up to $2.2bn by regulators today!)
Whilst there has been disappointment in some quarters that no colossal fines have been issued against the tech giants, this is probably only a matter of time, and does not signal fundamental problems with the GDPR.
Enforcement successes
The three most notable GDPR fines so far have been: the ICO fining British Airways £183.39m; the ICO fining Marriott International £99m; and the French data protection authority (DPA), CNIL, fining Google €50 million. These cases have sent a strong message to companies about the importance of protecting personal data from breaches (British Airways and Marriott International), and the importance of obtaining informed and valid consent for data processing (Google). There have been more small-scale fines and data holding bans too, with Italy, Poland, Austria and Germany all imposing enforcement actions. On some measures, Spain’s regulator has been the most active
Another successful element of the GDPR enforcement system has been the inclusion of Article 80, which allows NGOs and activist groups to file complaints on behalf of the public. This has contributed significantly to the 144,000 individual complaints which EU regulators received in the first 12 months of GDPR, thereby enabling enforcement to become more comprehensive in scope. Privacy activist Max Schrems’ organisation None Of Your Business (NOYB) has been one of the most active NGOs, submitting complaints against 8 major tech companies (including the complaint which led to Google’s fine). This mechanism has strengthened the public’s power vis-à-vis major corporations, enabling individuals to rely on established privacy professionals and activists to fight to uphold their rights for them.
DPA dilemmas: resources and interpretation
Although some regulators have been active and robust with enforcement, not all are able to operate as effectively.
The Belgian regulator, for example, only appointed a Data Protection Commissioner and corresponding team in April 2019, almost a year after GDPR’s implementation. Due to its legacy structure, essential frameworks like a litigation chamber and an inspection chamber were not in place, which meant that this DPA was not able to work on complaints and investigate breaches as comprehensively as others. The Belgian DPA has 60-70 full-time staff members, compared to the 500+ staff in the UK’s ICO. More broadly, there are massive disparities in resources, staff numbers, expertise and clout between DPAs, which undermines the effectiveness of GDPR enforcement in some countries. Some have fewer than 10 members of staff and very small budgets.
As a result of the GDPR's One-Stop-Shop mechanism, all cases, including those of a cross-border nature, are investigated and overseen by one EU regulator. The 'lead supervisory authority' in each case is the DPA from the EU country where the corresponding business is based. This mechanism ensures that companies cannot be fined multiple times by different EU regulators for the same GDPR breach. As a result of the One-Stop-Shop, Ireland’s Data Protection Commission (DPC) has principal control over investigating many of the tech giants which are based in Ireland, including Google and Facebook.
Questions have been asked of the Irish DPC, with some wondering why no major fines have yet been issued to the tech giants in their jurisdiction. Indeed, many believe that some of the tech giants are heavily non-compliant and continue to flout data protection rules post-GDPR. One EU official told us that “we need serious enforcement in 2019, otherwise the GDPR will lose credibility [...] non-compliance remains widespread.''
Although the DPC doubled in size to 140 staff and continues to grow, some suspect that GDPR enforcement may be compromised by the overriding economic incentive to keep big tech in Ireland. A study by Politico even argued that Ireland’s lax approach to enforcement could render the entire GDPR vulnerable. As of yet, the DPC have not yet taken landmark enforcement action.
These fears about Ireland, and GDPR enforcement more broadly, are probably overblown. Many EU officials are not that worried, as they argue that big cases are highly complex and take lots of time to investigate. Also, the cases need to be watertight, so that they can stand up to the inevitable appeal in the courts. One official noted that “there are big cases in the pipeline [...] these complex cases have to actually be won in court.” There are currently major DPC investigations into both Facebook and Google, which could result in much bigger fines than the ones we’ve seen to date.
Another enforcement-related issue has been interpretation of the GDPR. Many business leaders have called for more guidance from regulators as the breadth of the GDPR means that there is scope for alternate interpretations of the law. Privacy campaigners have even suggested that this lack of guidance has helped reduce compliance in big tech companies. In one of its first cases, the Polish DPA was criticised for its lack of clarity in explaining an element of GDPR’s Article 14. Article 14 stipulates that companies can waive their obligation to notify data subjects of the storage of their personal data if it constitutes a ‘disproportionate effort’. The company in question, Bisnode, used Article 14 as a justification for not sending out information to 6.7 million people on their database. Bisnode argued that they had insufficient information to contact each person, and that doing so would cost more than their annual turnover. The resulting rejection of this reasoning by the Polish DPA did not detail why this did not constitute disproportionate effort, and failed to give any examples of when disproportionate effort could be justified.
Final thoughts
The biggest GDPR enforcement problem is time: not enough of it has yet passed. Over time, we are bound to see bigger cases and bigger fines, which will have a ripple effect on businesses and the corporate approach to data protection at large. Also, regulators are bound to issue more detailed guidance over time, as familiarity with GDPR and its implications increases. Major points of contention will also be settled in the courts.
The GDPR was negotiated and agreed by the EU with the promise of a certain level of autonomy and sovereignty for each Member State; without this, the legislation may well have not been passed. This makes Member State divergence and variability in enforcement a necessary consequence of GDPR. Some even suggest that this initial variability is a positive thing, as it could lead to the most effective enforcement solutions being found through each DPA following its own approach.
Unfortunately, the big problem which won’t be solved with time alone is the reality of under-resourced DPAs. A law is only as strong as the capabilities of those which enforce it, and in some countries, enforcement capabilities are very weak. Many DPAs require more funding, more resources and more staff. Until then, GDPR enforcement could remain patchy.
Research dervied from interviews with data protection stakeholders in July 2019, generously funded by UCL's Laidlaw Scholarship Programme.
- Will Chantry is a Laidlaw Scholar second year Geography student at UCL
- Oliver Patel is Research Associate at the UCL European Institute
Image credit: Mixmagic, Shutterstock