As Europe’s General Data Protection Regulation (GDPR) gains momentum—impacting data privacy on a global level—we are just beginning to see reports, cases, and instances in which the GDPR is enforced. Whether through warnings, sanctions, or fines, the GDPR is taking the initiative in data privacy enforcement.
A Brief Review
After having rolled out on May 25, 2018, the GDPR has passed its 6-month milestone. It answered the call for a strengthened, uniform, and comprehensive approach to dealing with data privacy. To recap, “general data” pertains to all personally identifying information of individuals who are located within the territorial scope of the European Union (EU). In the U.S., we generally refer to this type of data as personally identifiable information (PII).
The GDPR addresses the following key rights of data subjects:
- The right to be informed (Articles 13–14)
- The right of access (Article 15)
- The right to rectification (Article 16)
- The right to erasure, aka “the right to be forgotten” (Articles 17 and 19)
- The right to restrict processing (Articles 18–19)
- The right to data portability (Article 20)
- The right to object (Article 21)
- Rights related to automated decision making and profiling (Article 22)
- Restrictions (Article 23)
According to Article 3, “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” This means that if you are processing the personal data of individuals located within the EU, whether or not the processing itself occurs on European territory, the GDPR is enacted and enforceable.
Violating the GDPR potentially comes at a heavy price. Compliance violations could lead to fines of up to €20 million (about $22.6 million) or 4% of global annual turnover. For other breaches, fines are up to €10 million (about $11.3 million) or 2% of global annual turnover. In both cases, whichever amount is greater applies.
Themes From the First 6 Months
As May 25 passed, it was estimated that a significant percentage of organizations processing GDPR-governed data were not in 100% compliance with the regulation. However, concretely showing a good-faith effort of progressive compliance was key.
Core requirements of the GDPR (e.g., providing documentation in the event of an audit, producing records of processing events at the time of request, and meeting the 72-hour breach notification window) all contribute to organizational anxiety. This impacts an organization’s compliance confidence.
The role(s) responsible for ensuring GDPR compliance vary by organization (e.g., the IT, finance, or legal department). There is no hard-and-fast rule for designating compliance roles. However, if an organization isn’t firm in assigning responsibility and expected mandates, GDPR compliance will ultimately suffer.
Surviving the GDPR regulatory audit
A GDPR regulatory audit comes from an outside agency (a regulator) and can be likened to the slippery slope of an IRS audit. No organization wants one—it can happen without ample warning, it can result in fines, it causes a negative public image, and it leaves an organization in a state of unrest.
Enforcement Examples From Around the World
Facebook fan pages
On June 5, not 2 weeks after the GDPR took effect, the Court of Justice of the European Union (CJEU) released a decision on whether an administrator of a Facebook fan page is considered a data controller under the GDPR.
Business Academy Schleswig-Holstein, an education company based in Germany, was the administrator of a Facebook fan page used to market its services.
The violation? The Facebook fan page stored cookies to collect data about the person accessing the page.
Consequently, a German data protection authority ordered the fan page to be deactivated for lack of transparency because users were not informed about any personal data collection.
Business Academy Schleswig-Holstein argued that it was not responsible for the processing of personal data by Facebook; however, the CJEU issued a ruling that the fan page administrator was indeed a joint data controller and thus liable.
The first U.K. enforcement action came as a surprise in that the organization to receive an enforcement notice was AggregateIQ, which is based in Canada.
On July 6, the U.K.’s Information Commissioner’s Office, in no uncertain terms, cited AggregateIQ as within the territorial scope of the GDPR under Article 3(2)(b). The legal enforcement notice declares the company a controller as defined in Article 4(7). While the data investigated goes back to political campaigning in 2016, the concern is that it was still being held as of May 31, 2018, and that it had previously been subject to unauthorized access by a third party.
The violation? Failure to comply with Article 5(1)(a–c) and Article 6 (i.e., those relating to data processing) of the GDPR.
The notice says that data was processed in a manner by which the data subject was unaware, for purposes outside of expectations, and without a lawful basis for processing. It also claims that AggregateIQ is in violation of Article 14(1)(2)(5) (information to be provided when personal data has not been obtained from the data subject). Additionally, it states that the maximum GDPR penalty of €20 million could be imposed. This case is still pending in court.
In October, the Austrian Data Protection Authority issued its first fine for GDPR noncompliance. While speculation dictated that the first sets of fines would likely go to larger organizations, the infringing party here is an entrepreneur.
The violation? The business set up a CCTV camera in front of its building that recorded a substantial portion of the sidewalk.
According to the Austrian Data Protection Authority, this action constituted large-scale monitoring of a public place, which is not permissible under the GDPR. In addition, the camera used was not properly marked, meaning the required transparency obligations noted in the GDPR were not followed.
The fine in this matter was proportionate to the business’ income, in the amount of €4,800 (about $5,430). The Austrian Data Protection Authority holds a position that fines should be fair and equitable, which means an organization with a gross annual income of €40,000 (about $45,000) is unlikely to be slapped with the maximum €20 million fine.