Now that the CCPA is in effect here in the states, it’s worthwhile to check in and see how things are going with its elder sibling across the pond.
Suffice it to say that those tasked with enforcing the General Data Protection Regulation (GDPR) have been busy, a new report from law firm DLA Piper shows. Published on January 20, the GDPR Data Breach Survey shows just how much commotion the regulation has caused since it went into full effect on May 25, 2018.
Over that period, European authorities received more than 160,900 data breach reports. That comes to a shade more than 260 reports per day. They also doled out €114 million ($126 million) in fines for data breaches and other infractions.
Is the GDPR going through its terrible twos? Or are these results just a glimpse of what’s to come? Let’s take a closer look.
A GDP-Refresher
The GDPR is a European Union law stipulating that companies must be held accountable for the personal data they retain concerning any citizen in the EU—whether an employee, customer, or business partner. According to the Information Commissioner's Office (ICO), which is the “UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals,” there are eight rights the GDPR extends to all EU citizens. Among them are:
The right to be informed about the collection and use of individual’s personal data
The right of access to personal data that a company holds
The right to erasure of private information when requested
Looking closer at the DLA Piper report, a few surprises emerge when examining which countries are receiving the full force of the law. The top fine-getters were:
France, €51 million ($57 million)
Germany, €24.5 million ($27 million)
Austria, €18 million ($20 million)
Meanwhile, the following three countries led the way in terms of total number of data breaches—note that Germany is the only country on both lists.
The Netherlands, with 40,647 breach notifications
Germany, with 37,636
The U.K., with 22,181
While these seem like big numbers, they are minuscule compared to the size of the fines that the authorities could be giving out.
The law vests lawmakers with the power to levy fines amounting to 4% of annual global revenue or €20 million ($22 million), whichever is greater. Separately, organizations that fail to comply with GDPR's reporting requirements also face fines of up to 2% of annual global revenue or €10 million ($11 million).
Some context: consider Google’s tussle with the law back in January 2019. France’s data protection regulator, CNIL, issued the search giant a €50 million ($57 million) fine for failing to comply with GDPR obligations. For Google, which hauled in $40.49 billion in revenue in the third quarter of 2019 alone, this hardly amounted to a slap on the wrist. If CNIL had elected to employ the full force of the law, it could have extracted billions of dollars from the company.
The Law is Yet Young
To be fair, Google was GDPR’s first major victim, and many thought the company was being held up as an example. The fact remains: the varying results across countries and companies point to a lack of uniformity when it comes to interpretation and application of the law. This suggests that we are still in the early days of enforcement. The law’s arbiters seem to be taking the law for a spin rather than throwing the book at companies, hoping the threat of major fines scares Google and its ilk into compliance.
It may be a few years before EU countries can align on uniform enforcement practices. GDPR is interpreted quite differently across Europe. Although it's the same legal text, it is principle-based and open to interpretation. Seen in this light, it’s unsurprising that this is exactly what has happened in practice.
How LogicGate Can Help You Deal with GDPR Ambiguity
The early GDPR fines raise many questions and offer few answers. Ask two different regulators how GDPR fines should be calculated, and you will get two different responses. This legal ambiguity scares companies—which is partly the point.
The wide-ranging requirements of the GDPR present challenges for organizations, especially since the requirements to become compliant vary for each individual business. LogicGate is helping companies meet GDPR compliance requirements by centralizing and automating all of the new processes as well as enhancing existing manual processes (such as third-party risk management) that now must incorporate privacy impact assessments.