On May 25, 2018, the General Data Protection Regulation (GDPR) became effective across the European Union. The GDPR is a regulation designed to give EU residents control over their personal data and simplify the regulatory framework for international organizations doing business in the EU. In its infancy, it was not entirely clear how the GDPR would be enforced. Now, one year later, the regulation is beginning to show some teeth.
Although many data privacy lawyers disagree on whether strict compliance with the GDPR is even possible, recent enforcement measures have shed some light on how the regulation may be enforced in the future. A review of last year’s enforcement actions should help companies avoid unnecessary penalties and inform them what to expect going forward.
History and Scope
In contrast to the United States’ sectoral approach to data privacy, the GDPR is an omnibus law that regulates data privacy for all EU corporate sectors. The regulation binds EU member states and businesses, as well as non-EU businesses that process the personal data of EU citizens.
The GDPR grants significant rights for individuals that are subject to data collection. An EU citizen can request that a company delete her personal data or explain how her personal data is used and processed. The regulation also imposes significant requirements on companies that process the personal data of EU citizens. For example, companies must implement data protection measures to guard consumer data, including informing data subjects about the extent of data collected, retained, and transferred.
Noncompliance with the GDPR subjects a company to significant penalties, as each offense is punishable by a fine of up to roughly $20 million, or 4% of the noncomplying company’s annual global revenue, whichever is greater.
Enforcement Action Takeaways
At its inception, it was unclear how the European regulatory authorities would enforce the GDPR. Over the past year, however, there have been several GDPR enforcement actions that illustrate important takeaways for companies that process EU citizens’ data.
Good faith compliance is the best policy
Companies need to be able show that they attempted good faith compliance with the GDPR. Where companies blatantly disregard GDPR requirements, they expose themselves to substantial fines and penalties. In March 2019, the Polish supervisory authority penalized a data controller who was unlawfully scraping public information from the web for an amount equal to about $250,000.
In that case, it was noted that the company knowingly violated the GDPR by failing to inform EU citizens how their data was being used and processed. The supervisory authority found that the company intentionally ignored GDPR requirements because it wanted to avoid additional expenses associated with data transparency.
Large fines may be imposed but regulators are hesitant to issue maximum fines
In January 2019, the French supervisory authority fined Google 50 million euros (roughly $57 million) for failing to provide a legal basis for targeted advertisements and not being transparent regarding its use of consumer information. As one of the largest enforcement action to date, it takes direct aim at Google’s business model of selling consumer data to third party advertisers.
But the sheer size of this fine should not scare businesses away from the EU. Although significant, the $50 million fine amounted to a mere slap on the wrist for Google, as its parent company, Alphabet, Inc., reported revenue of almost $110 billion in 2018. Based on the GDPR, Google could have been fined more than $4 billion.
To this point, data protection authorities have yet to levy maximum fines for noncompliance with the GDPR. In the coming year, it will be interesting to see whether privacy regulators stay the course or increase pressure by levying heavier fines against non-compliant organizations.
Once a violation discovered, cooperation with the supervisory authority is key
Cooperating with a country’s supervisory authority is essential for reducing exposure to large fines. In one of the first enforcement actions of 2018, a German social media network, Knuddels.de, was fined 20,000 euros ($22,750) when it discovered a data breach that exposed the usernames and passwords of over 800,000 EU subscribers.
The supervisory authority noted that the relatively small fine was due in large part to Knuddels’ high level of transparency regarding the breach, extensive cooperation, and quick installation of security upgrades. It appears supervisory authorities will consider an organization’s willingness to remedy its security shortfalls in allocating fines for noncompliance. Thus, if a company is faced with noncompliance, it should be open and cooperate with the supervisory authority in order to receive a minimal fine.
The GDPR and U.S. Law
Although companies that do not do business in the EU are not subject to GDPR requirements, that does not mean they are completely off the hook. California recently passed the California Consumer Privacy Act (CCPA) which has many of the same features of the GDPR.
Further, other states, including (but not limited to) Illinois, New York, and Washington are considering measures that are akin to the CCPA. While these prospective laws are substantially similar, subtle differences will make them difficult to navigate. Until Congress passes a comprehensive data privacy law, companies will have to manage an array of legal requirements and privacy frameworks. For many companies, attempting GDPR compliance is a solid step towards navigating the ever-changing 50-state data privacy framework.
Data privacy law is undergoing massive change. The law, both within the United States and abroad, is looking at companies that extract, analyze, and sell consumer data.
In light of last year’s enforcement actions, it is important that organizations continue to assess their compliance with U.S. and international data privacy laws. Instead of waiting to see how these laws are enforced, businesses should take proactive steps in securing consumer data and assessing compliance with GDPR as applicable, and the laws of the states in which they operate.