Click to learn more about author W. Curtis Preston.
If the first year’s existence of the GDPR has shown us anything, it’s that the European Commission is serious about its successful implementation. It levied over €56 million in fines against 91 companies – €50 million of that was against a single company. We can also see that the public is very aware of the GDPR’s existence, and intend to use it, as there were over 200,000 cases in its first year.
What we can also learn, though, is the European Commission is taking a measured approach. Specifically, the fines have been nowhere near the maximum allowed under the regulations. Even the largest fine of €50 million to Google is a fraction of the maximum fine, (4 percent of their annual revenue) which would come to somewhere over $4 billion. While the commission still has the power to levy the maximum fine if deemed necessary, it seems to be leveraging much smaller fines than some thought would be issued.
Experts suggest there are a number of reasons for these lower fines, one of which is that companies might challenge larger fines in court, increasing the time, cost and energy required to collect the fines. Most familiar with the matter seem to think that the commission would rather not spend months or years in court fighting a fine – unless it’s truly necessary.
Members of the commission have stated publicly that they do not wish to put companies out of business or leverage a fine so large a company would be incapable of fixing the problem. The goal seems to be to incentivize companies to fix the problem, while letting them know that if they do not, the fine could get worse.
Time Off for Good Behavior
The commission also seems to want to reward good behavior as much as it needs to punish bad behavior. A perfect example of this is the first company to be fined under the GDPR, a German social media platform called Knuddels. On first glance, the offense seems to be a major one, a data breach that compromised the email addresses and passwords of 330,000 users.
Yet the fine was relatively small, only €20,000, compared to what Knuddels could have been charged. The commission noted that the company proactively and quickly notified the German data protection authorities and customers. They also worked quickly to implement the security procedures that were recommended to address the breach. When combined, all these actions helped Knuddels get off with a lower fine.
Indifference to Privacy
In contrast to the commission’s response to the Knuddels breach, consider the response to multiple breaches by a Centro Hospitalar Barreiro Montijo, a hospital in Portugal. They were fined €400,000 and didn’t even technically have a breach. It was perceived, though, that they ignored one of the core concepts of the GDPR which is security by design and by default.
The hospital allowed indiscriminate access to patient records by an excessive number of users – there were 985 profiles with the access level of a doctor, but there were only 296 doctors in the hospital. To make matters worse, all doctors could see all patient records – even records of other doctors’ patients. There were also profiles for doctors who no longer provided services to the hospital, and the last account to be deactivated was in November 2016.
It appears the commission felt these and other actions demonstrated the hospital was consciously violating the GDPR, knowing that its acts were prohibited by law. Although the hospital did take steps to correct the issue once identified, it appeared that they were essentially ignoring the GDPR until someone came knocking on their door. The result was a €400,000 fine – which was still way less than it could have been.
Fines Without Borders
The largest GDPR fine to date was a against Google because the commission felt that people were “not sufficiently informed” how Google collected and used their data. The commission indicated that Google did not gain proper consent to collect data and use it. Google’s European headquarters are in Ireland, but the French privacy watchdog had no problem levying the €50 million fine from a completely different country.
There are American companies that still think these rules do not apply to them, and it doesn’t –if they do not process European Union citizens’ data. But if a company is targeting European citizens with its marketing, then the GDPR applies to that company, and noncompliance is a non-option. In case there is any doubt, the Irish Data Protection Commissioner testified in front of the US Congress this May that she is running several active investigations and expects to sanction some major US companies this year.
No Right to be Forgotten Fines – Yet
One of the most controversial aspects of the GDPR – at least in the storage industry – is an individual’s right to ask that their personal information be deleted if a company has no valid business reason to keep it. Many companies do not store data in a way that makes it easy to delete – especially when it comes to secondary copies of data like snapshots, backups, and archives.
It does not appear any companies have been fined as a result of an inability to comply with such a request. When it does happen though, the commission’s history of fines in other areas suggest the severity will depend on how the company attempted to comply with the request. Did it completely ignore the idea of right to be forgotten, or is it simply unable to comply due to limitations of the technology being used? We still don’t know how the commission is going to handle such a situation, and only time will tell what it’s going to do in this scenario.
Act Now Before it’s Too Late
A number of public comments from the commission suggest that fines were small in this first year because it wanted to give companies time to comply with the GDPR. It seemed more concerned about pushing companies towards compliance than it was with punishing companies who were not yet compliant. Those same comments, however, suggest that this will change in the coming years as the commission becomes less tolerant of those who are still non-compliant.
Hopefully your company already has a GDPR strategy and has either fully enacted it or is well on its way. Make sure that your company takes the privacy of personal information seriously, and security is by design and by default. Make sure that you are very transparent in how you collect data and how you use it – and consent is paramount. Follow industry standard best practices for security, which include things like always encrypting passwords and never storing them in plain text, and ensuring that only those who need access to data have access. Finally, if your company does identify some way in which it is either non-compliant or has been breached, proactive notification in working with the commission is your best chance for success.