Logo Logo
Cookiebot

 

The General Data Protection Regulation (GDPR) affects how your website may track visitors from the EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

GDPR enforcement is turning one year old - a look at its impact so far

ONE YEAR has passed since the European GDPR (General Data Protection Regulation) came into effect on May 25, 2018.

A helicopter view of the situation a year later reveals both challenges and promises to its enforcement and effects.

Here is a GDPR anniversary update!

Reminder: What is the GDPR?


The GDPR, or General Data Protection Regulation, is an EU law that regulates how companies, organizations and other entities handle personal data. Its jurisdiction is global, because it requires everyone who deals with the data of an EU citizen to abide by its rules and regulations.

The GDPR empowers Europeans to control what data they wish to share, as well as enabling them to request their collected data deleted.

Read about the GDPR in further detail here.

Read the official GDPR law text here.

GDPR awareness amounts to 67% of EU citizens

Special Eurobarometer from the EU Commission available here.

If you have a website, you most likely have cookies and tracking technology operating on your site and you are therefore required by the GDPR to comply to its rules.

This includes:

Cookiebot is a GDPR compliant solution for your website. Try it for free here.

GDPR enforcement overview


One year into the enforcement of the GDPR, we are slowly beginning to see its impact.

GDPR enforcement in year one of the law

Special Eurobarometer from the EU Commission available here.

While fines have been slow to ramp up against companies and businesses who violate the GDPR, its effects can also be seen on new privacy laws springing up around the globe, as well as its role as an instigator of public privacy discussions.

How can the GDPR be enforced?

The GDPR can be enforced in various ways, ranging from –

So far, the most common GDPR enforcement has been warnings and fines.

Common types of GDPR complaints

Special Eurobarometer from the EU Commission available here.

GDPR fines in Year One

The sum of GDPR fines one year into its enforcement amount to approximately €56.000.000, according to the IAPP.

The average GDPR fine has so far been approximately €70.000, according to the London-based accounting firm Ernst & Young.

Infographic of GDPR enforcement in the EU

GDPR enforcement in numbers (infographic by IAPP).

Most of the GDPR enforcement cases so far have been discretionary, i.e. they have been imposed on a case-by-case basis.

The fines differentiate based on the what articles of the GDPR a company violates: if it violates its own obligations it will be subject to lower level fines, whereas violations of individual privacy rights will be subject to higher level fines.

Germany, Poland, Denmark, Austria and Portugal are among EU member states that have fined companies or organizations for GDPR violation in this first year.

France leads the GDPR enforcement in Year One

The French data protection authority CNIL can rightly be called the leading watchdog of GDPR when it comes to both enforcement and guidance so far.

CNIL received over 11.000 complaints in 2018 – an increase of 32.5% from the year before – and a large percentage of the complaints has been centered around the GDPR-introduced right to request deletion of personal online data. The French DPA has also been exemplary in guiding companies in GDPR compliance, as well as advising government legislation.

The largest monetary enforcement of the GDPR yet also emerged from CNIL on January 21, 2019, when the French data protection authority levied a €50 million penalty against Google for three separate GDPR violationslack of transparency (Article 12), inadequate information (Article 6) and lack of valid consent regarding the ads personalization (Article 7).

The €50 million fine was the result of an investigation launched on the basis of two group complaints by the privacy associations None of Your Business (noyb) and La Quadrature du Net (LQDN), who accused Google of violating the GDPR regarding the processing of personal data, particularly in the case of personalized advertisements.

“For the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law”, said the chairman of noyb Max Schrems.

These complaints were put to the French DPA on May 25 and 28 of 2018, that is, on Day One and Day Three of the enforcement of the GDPR. That it took CNIL six months to investigate and enforce, tells us something about the timeframe of larger GDPR enforcement cases… and might hint at much larger enforcements to come.

GDPR fines distributed across the EU

Special Eurobarometer from the EU Commission available here.

IRELAND, a challenge and a promise

Technically, Ireland has the singular role of being the GDPR’s lead regulator.

Why, you might ask?

Well, because a provision in the GDPR specifies that its lead regulator be the country that houses a tech company’s data controller, and because Ireland is the European headquarters for many big tech companies such as Facebook and Google, who enjoy lax tax arrangements from the Irish government, Ireland has the responsibility of leading the enforcement of the GDPR against the industry’s biggest.

Both the German and French DPAs have expressed their frustrations over the Irish DPA’s lack of enforcement.

Ireland is a tax haven for GPDPR non-compliant companies

Ireland has courted tech companies for years with low corporate taxes.

However, the Irish DPA revealed recently that their office plans to announce enforcement actions this summer, adding that they currently have 51 large-scale privacy investigations open, 17 of which involve tech companies like Twitter, WhatsApp, Instagram, LinkedIn and Apple, while 7 cases specifically involve Facebook.

On May 22, 2019 – three days short of GDPR’s birthday – the Irish Data Protection Commission (DPC) announced a comprehensive investigation of Google’s DoubleClick company (in the meantime rebranded as Authorized Buyers) for “suspected infringement” of personal data processing. The probe was triggered by a formal complaint from Dr. Johnny Ryan, Chief Policy Officer at Brave, the private web browser.

This investigation could lead to severe fines against Google, or even worse for the company: a complete prohibition of using personal data in its advertising system. The GDPR is showing teeth indeed.

A year into the enforcement of the GDPR we’ve mainly seen smaller fines, but have now begun to see larger and larger investigations and fines on the horizon, exactly because the bigger enforcement cases against the biggest industry heavy weights take a long time to build and execute.

This is why privacy experts say that they expect larger GDPR fines are on the way. 

Other GDPR enforcement techniques

The GDPR authorizes the national data protection agencies to be the chief enforcing bodies of the law. This means that national DPAs can fine companies (up to €20 million or 4% of their global revenue) or they can dictate how or what data companies can use in their business.

The latter can be enforced e.g. in the case of a data breach, where regulators deem a company negligent. In this case, they may issue an ultimatum for the company to either rectify the breach within 90 days or stop using the data that it has collected.

Data breaches reported under the GDPR

Special Eurobarometer from the EU Commission available here.

If a company relies on data collection as a core business model for profit, this could potentially be a bigger blow than a fine, however large.

So far, there have been only two examples of such

GDPR as ripple initiator – privacy laws around the globe


One year into the GDPR, we begin to see another of its impact that hasn’t to do with fines or enforcement, but with legal change – what LinkedIn’s head of global privacy recently called “the GDPRization of laws across the world”, meaning that laws all over the globe are beginning to spring up and take shape with inspiration from the GDPRs scope and strength.

CCPA, California Consumer Privacy Act will take effect January 2020

The California Consumer Privacy Act (CCPA) is the strongest privacy law in the US and will take effect on January 1, 2020.

Among the nations or states in the world that either have passed or are in the process of passing privacy laws are …

Argentina, Israel, Chile and China are among other nations who are working on privacy laws and regulations.

Public awareness of the ad tech industry and privacy

When it came into effect on May 25, 2018, GDPR was a top Google search keyword, outnumbering both Beyoncé and the Queen of England. 

It doesn’t anymore, but its mainstream reach is still to be felt. The effect of the GDPR has also been to foster a public discussion about privacy that is still raging to this day.

Awareness of data protection authorities

Special Eurobarometer from the EU Commission available here.

Its date of effect a year ago more or less coincided with the revelation about the Facebook/Cambridge Analytica scandal, perhaps the biggest, most reported privacy crisis last year, only rivaled by the digital interference by the Russian government in the US presidential election. 

Some of the biggest news outlets in the world have reported on the GDPR continually and privacy at large remains a big continuous topic, e.g. the NY Times with its article series titled The Privacy Project.

What to expect in GDPR Year Two?


As mentioned before, it is reasonable to say that we can expect bigger, more comprehensive GDPR enforcements in the second year of the General Data Protection Regulation.

Bigger investigations, larger fines.

Another thing to look out for this year, is the ePrivacy Regulation, which is currently underway, but stalled in the EU amid heavy lobbying from the tech industry. It is still expected to arrive either in 2019 or 2020.

Resources


Try Cookiebot for free to be GDPR compliant.

Read about the GDPR further detail here.

Read the official GDPR law text here. 

Infographic of GDPR’s first year.

The average fines of GDPR in its first year of effect, according to Ernst & Young.

UK’s ICO and its 57 GDPR enforcement actions.

List of biggest GDPR enforcement cases so far. 

Politico looks into the lack of enforcement by Ireland, the GDPR’s chief enforcer. 

The Facebook / Cambridge Analytica scandal in full view.

The facts of the Russian interference in the 2018 US presidential election.

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free