News Archives

Friday, August 31, 2018

What’s Happening with GDPR Enforcement?

Three months have passed since the EU’s General Data Protection Regulation came into effect, without any reports of significant enforcement actions or fines.  Yes, Google was hit with a whopping $5.1 billion fine on July 18, which would come close to wiping out their profits for the most recent quarter.  However, while the fine was testament to the willingness of EU regulators to maximize the leverage at their command, the violations involved were of antitrust rather than data protection law. 

It is worth noting that the Google fine came two years after charges were filed against the company, and even longer after an investigation into its practices was initiated.  Enforcement by EU data protection authorities often follows similar time frames – drawn out by US standards – in which attempts at education about compliance are followed if necessary by official warnings, the filing of charges if the warnings are not effective, a further period of time to allow a response to the warnings, and only then the issuance of an enforcement order and penalty.  David Meyer describes this more tolerant and collegial approach to enforcement in an IAPP Privacy Advisor article on why GDPR fines could be months away.

Of course, not all GDPR enforcement actions take years to progress.  When confronted with egregious data processing, more fully-empowered DPAs now have the power to order the suspension of such processing.  And even where some aeration of complaints is appropriate, it is worth considering what’s in the pipeline.  According to a poll of DPAs conducted by IAPP, several thousand complaints about violations of the GDPR were received within the first month.  According to  European Data Protection Board Chair Andrea Jelinek, as of July 19 there were around 100 cross-border cases under investigation in the Internal Market Information System (IMI).  According to Giovanni Buttarelli, the EU’s data protection supervisor, as of August 14, an additional 30 alleged violations of the GDPR were being actively investigated by the EU’s independent DPAs.

Furthermore, not all GDPR enforcement is initiated by DPAs.  Max Schrems filed the first legal cases against Google and Facebook under the GDPR just hours after the Regulation came into effect.  The possibility of collective action lawsuits for privacy violations was introduced by the GDPR and one is said to be brewing against Facebook in the UK. 

GDPR enforcement may be slow, but experts have never expected otherwise.  What is clear is that the enforcement is coming.  Companies that still adopt a “show me the money” approach to gauging and responding to risks – and what US privacy consultant hasn’t encountered these – will be ill-prepared for what is to come.

2 comments:

  1. I think that I'm into your pieces of writing. I wait for your posts every week. I learn many new interesting things from the articles. The information is essential for me. I want to thank you for sharing.
    sales notifications
    recent sales notification popup
    koi Nhật

    ReplyDelete
  2. Modern life, people always find new technology to replace old technology, it takes a lot of time. Thus, artificial grass is born not only in sports but also in garden decor. Children's play areas are also used to create green spaces for the garden and play in a comfortable environment. for young children. In addition, it is also used in interior decoration, outdoor carpets, interior decoration, playground for kindergarten children, golf course, tennis court.
    gai goi, Gái gọi Lê Duẩn, Cửa Nam, hình sex, Gái gọi Xã Đàn, Gái gọi Long Biên

    ReplyDelete