In the last half of 2018, GDPR enforcement activity among data protection authorities across Europe saw a steady uptick and the trend will continue in 2019. Organizations in a broad range of industries received public reprimands, enforcement notices and fines. Violations ranged from data breaches, to lack of security practices and failure to obtain consumer consent to collect data.
Some of the most severe and notable actions that took place in 2018 include:
- Numerous consumer groups across the EU called for action under GDPR and filed complaints with data protection authorities against a major technology corporation. The complaints alleged that the corporation illegally tracks and collects user data without proper consent.
- A small app developer in Germany was one of the first fined under GDPR when it received a €20k penalty for failing to follow security best practices to protect user passwords.
- The Information Commissioner’s Office (ICO) in the UK issued a formal GDPR enforcement action against a Canadian data analytics firm, demanding that the organization “cease processing any personal data of UK or EU citizens…” The ICO alleged that the firm was “processing personal data in a way that data subjects were not aware of, for a purpose they would not have expected, and without a lawful basis for processing.”
- Following a probe into a major technology corporation, regulators in Europe have indicated they may issue a US$1.6 billion fine for a data breach impacting 50 million users. The same organization also received a £500,000 fine from the ICO for violation of data protection laws affecting an estimated 87 million people. Notably, the ICO mentioned that the fine would have been considerably higher if the violation had fallen under the scope of GDPR.
- In November, France’s data privacy regulatory body, the Commission Nationale de L'Informatique et des Libertés (CNIL), imposed GDPR consent requirements for companies in the online advertising industry.
- Among the first to issue fines under GDPR, data protection authorities in Portugal doled out a €400,000 fine to a hospital for failure to apply appropriate access controls over digital patient data.
If momentum from 2018 is any indicator, a busy year lies ahead for data privacy professionals around the globe. These incidents signal a number of data privacy trends organizations should prepare for, including:
- Enforcement will increase, but incrementally: We’re starting to see sanctions from data protection authorities, but most so far have been relatively small. Many of the enforcements to date have been focused not on monetary penalties, but on pressuring organizations to get their data under control. The larger, cross-jurisdiction sanctions may take some time as regulators in various countries determine how to cooperate with each other and conduct investigations that will bolster their ability to issue hefty penalties against large multi-national entities that have significant resources.
- Territorial scope will be leveraged: An organization does not need to have a physical presence in Europe to be impacted by the GDPR. The matters above and other recent sanctions make clear that regulators will indeed enforce their authority under territorial scope, including cooperating with non-EU regulators. Any corporation with a footprint in Europe, whether they are physically there or not, needs to be prepared.
- Cooperation may lead to leniency: Authorities have demonstrated willingness to be lenient with organizations that cooperate and demonstrate good faith in complying with the laws. We saw this in the incident with the German app developer mentioned above. In that case, GDPR would have allowed a larger fine, but citing the developer’s cooperation, authorities offered a lesser penalty.
- Class action lawsuits stemming from data breaches will pick up globally: While historically the legal community in Europe has not been as aggressive as in the U.S. with regard to pursuing class action lawsuits stemming from data breaches, this is going to change under GDPR in the coming year. As demonstrated by a recent airline breach, we’re going to see more attorneys in Europe and the UK work to bring legal action against corporations that experience data breaches or violate GDPR guidelines. The impact of these lawsuits will likely be more severe and longer-lasting than any financial sanctions imposed by data protection authorities.
Another important lesson from activity in 2018 is that a data breach is not necessarily a breach of data protection laws. The recent airline breach in the UK is a good example – the company was hacked and suffered a breach but responded with transparency and best practices. Thus far it has not been found to be a violation of GDPR. On the other hand, as we’ve already seen in 2019 when the CNIL imposed a €50 million fine relating to the processing of personal data for advertising purposes without first obtaining consent, a data breach is not required to be in violation of GDPR.
As organizations work to prepare for increased GDPR scrutiny they should also keep an eye on other regions where data privacy laws and enforcement actions are increasing due to the spotlight GDPR has put on privacy. Notably, for example, California’s new proposed privacy law which closely mirrors the GDPR is set to take effect January 1, 2020. The trends above should be taken into serious consideration and leveraged to build better practices in 2019, ensuring that information governance and data privacy risk programs are a top priority for company leadership.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.