Saturday 25th May sees the first anniversary of GDPR – and its associated fines.
It’s fair to say that the effects haven’t been astronomical (at least not yet). The first year has been more about teething than smacking down financial penalties. The watchdog is said to be spending more time focusing on legacy cases breaching the Data Protection Act, including high-profile companies such as Uber, Equifax and BT.
It also hasn’t penalised companies harshly where they can show that they have taken adequate action to fix wrongdoings and comply with new regulation.
Though there have been few penalties, reports have been on the up. Research from Hiscox shows that complaints of online data breaches were up 160% in the six weeks after GDPR came into force.
Across the continent, the European Data Protection Board found that 206,326 cases were reported under the GDPR from supervisory bodies in 31 authorities in the European Economic Area (EEA).
Fines throughout Europe totalled €55.96 million over the first year of GDPR. This sounds like a grand sum, but is mostly made up of a €50 million fine for Google.
France’s CNIL vs Google
In its first GDPR ruling, CNIL pursued Google, issuing a €50 million fine.
It imposed the penalty for a lack of transparency, inadequate information and lack of valid consent around ad personalisation.
The authority carried out online investigations and concluded that information provided by Google isn’t easily accessible to users. Info such as data processing purposes, data storage periods and categories of personal data used for ad personalisation are disseminated across several documents, with various buttons and links to access them. Some access requires five or six actions and even then, the information you get isn’t always clear.
What’s more, it found that data access isn’t obtained in a valid way and the user consent isn’t sufficiently informed. Again, information is spread over several documents so users aren’t aware of plurality of services. The report concluded that there were ‘unlimited possible combinations’ of how users can permit Google to use their data.
GDPR fines in other parts of Europe
Germany’s regulator has been the most active since GDPR was introduced, issuing over 60 fines. Cases include:
- A clinic which accidentally handed over a copy of a severely handicapped person’s ID card to the wrong patient
- Bank customers being able to see bank statements of third parties in online banking
- Nuisance advertising emails
- A fire department recording all incoming and outgoing calls rather than just emergency calls
One of the German regulator’s largest cases involved a social media company, knuddels.de. It fined them €20,000 for failing to secure customers’ personal data following a hack. Reports reveal that the email addresses and passwords of around 330,000 users were stolen and published by the hacker. The social media company in question didn’t encrypt customer passwords – it stored them in plain text, making them more vulnerable to crime.
Austria fined an organisation that put a CCTV camera in front of the building which also recorded images from a large part of the pavement. It was fined €4,800 for monitoring a public space without appropriate transparency and notice.
The Portuguese Data Protection Authority fined Central Hospital of Barreiro Montijo €400,000 for allowing too many employees to access patient records.
And despite its tiny size, Malta has issued 17 fines under GDPR.
Will the UK get tougher on fines?
We could be seeing fines in the near future for Marriott International. In late 2018, hackers gained access to around 500 million guest accounts. Nearly two thirds of those affected may have had passport numbers, emails, dates of birth and mailing addresses stolen.
‘It will want to show that it takes its responsibilities seriously, that it has teeth, and that it wants businesses to work hard to comply’
The hotel chain did inform the ICO of the breach. Unfortunately it had a £22.9 billion turnover in 2017, so a 4% fine would cost them a significant $916 million (£720 million).
An ICO spokesperson said:
“We have received a data breach report from Marriott Hotels involving its Starwood Hotels and are making enquiries.”
What about other companies who violate GDPR?
“The ICO’s position is that fines are a last resort in persuading businesses to comply with the GDPR,” says Patrick Wheeler, head of intellectual property and data protection at Collyer Bristow.
However, he warns that the anniversary will be marked with big fines: “There are good reasons for the ICO to make its presence felt now. In the last 12 months we have seen major data breaches from, to name just a few, British Airways, Ticketmaster, Facebook and HMRC,” he says.
“It will want to show that it takes its responsibilities seriously, that it has teeth and that it wants businesses to work hard to comply.”
There’s still time to comply
According to the aforementioned research from Hiscox, knowledge of the rules from small business owners is still lacking. A significant 39% don’t know who GDPR affects while nine in ten don’t know the key new rights that GDPR gives to consumers. More worrying still is that many businesses still aren’t fully compliant yet.
Don’t panic if you need to plug some gaps. Read more over at GDPR is now in force: make sure you don’t get caught out.