By no means all of the regulatory action under GDPR has been accomplished through fines on organizations. It is expected that the EU legal consensus regarding privacy will strongly influence their behavior. Since GDPR’s introduction, most regulators have taken a consultative stance, giving advice and looking for incremental improvements in behavior. That is beginning to change. Telecoms firms should take note.
Not all GDPR fines are public information in all countries. Despite the inherent motivational power of “naming and shaming” organizations, regulators in Europe have suppressed details – even the names of those being fined – with some frequency.
One of the better sources of information about GDPR enforcement can be found at enforcementtracker.com, provided by CMS Law.tax As this website says, the data it provides is incomplete. It also includes fines announced but not finalized. Even with these shortcomings, it is an interesting place to look for trends.
Using this data, we can see an increase in enforcement of GDPR from 2018 through its first two years. This is hardly surprising.
In 2018 the GDPR was a dramatic change in most of Europe, a complicated new law often poorly understood.
Even well-meaning organizations needed a certain amount of digital transformation — including staffing, procedural changes, and changes to software — before they could comply. Most had been reluctant to invest in anticipation of the law, because it had been a moving target. Plus, as the NYT article stresses, regulators remain severely understaffed and must rely on voluntary compliance. Regulators have had little choice about being patient. There simply isn’t capacity in the regulatory offices of any country to build cases and fine everyone who transgresses. Building cases takes time and naturally creates a lag.
On the other hand, as of May 25, it has been two full years. So what do the enforcementtracker.com numbers show?
Ireland has not been aggressive so far
Based on data through mid-May, Ireland stands out as a country with a published record of levying only one fine. That fine was on May 17, just in time to avoid a “zero” for the first two years. Several very deep-pocketed U.S. firms have their E.U. headquarters in Ireland, including Facebook, Google, and Amazon. This makes the Irish their principal GDPR regulator, a source of deep frustration to many. Other European countries have been eager to curb these companies’ behavior. The French have fined Google anyway, as have the Swedes, while the Germans have fined Facebook.The privacy activist Max Schrems has recently published an open letter to national data protection authorities, the European Commission, the EU Parliament and the European Data Protection Board (EDPB). The letter says, “After two years, we feel that the time has come to shine light on the shortcomings of the GDPR’s current enforcement in Ireland and bring the debate into the public.”
GDPR fines have generally been low
While the overall total of fines in the EU isn’t trivial, critics say they have not been big enough. About EUR 470MM in total fines have been counted in the CMS database so far. Of this, just 2 UK fines (both in the “intent to fine” stage, not final) represent two thirds of the total. Both, interestingly, are rooted in inadequate cyber security — not in other privacy rights. By comparison, the single recent FTC fine against Facebook of USD 5 Billion makes the European total look underwhelming. (Predictably, critics say that this FTC fine was itself too small.) That the U.S. is one of only a few major countries with no national privacy law is ironic, if “total fines” is your measure of the seriousness of regulatory intent. Although they dominate the totals, multi-million-Euro fines have been fairly rare under GDPR. Bigger fines are the ones making headlines, like the UK fines against British Airways and Marriott, mentioned above. While the law permits fines of up to 4% of worldwide turnover over 80% of fines have been less than EUR 100,000. The median fine in 2019 was just EUR 12,000 according to the CMS database.
Spain in 2020
Notably, there’s been a flurry of recent activity in Spain this year: 35 fines levied in just the first quarter, more than the total number for 2019.
This activity in Spain brings our attention to the most-fined industry, which is telecoms. About half the fines in Spain so far this year were against telecoms firms. Reportedly, some of these fines in amounts like EUR 40,000 and EUR 50,000 are for violations involving a single customer. Imagine those fines extrapolated to a larger fraction of customers, or if Spain had a legal culture of class action lawsuits more like that of the United States! Meanwhile, Spain is not alone. Italy issued a EUR 27.8MM fine to a telecoms firm this year, and Romania has fined one of its telecoms firms twice. As a result, telecoms received almost one in three fines so far this year and a large fraction of the 2020 year-to-date total in Euros.
Are regulators in the EU sending a message that it is past time to get serious about data protection? It would seem so, and telecoms are in the cross-hairs.
Having worked in Marketing for over 25 years, much of it in relationship marketing and loyalty, I am not sure that many days have gone by where the words brand and sticky, or some synonym for sticky haven’t been mentioned in the same sentence, PowerPoint slide or plan on a page.
Life is a digital experience for most customers. Big as it already is, the importance of customer data continues to grow. We are told that “data is the new oil.” Some of the largest enterprises on Earth are founded on data such as Google, Amazon, Alibaba, Facebook, Netflix, Salesforce, Microsoft, and Oracle. Many of these big tech firms didn’t exist 25 years ago, making their success astonishing.
It’s been quite a year for us, working with clients across various continents, growing our teams both in the London and US offices, that we’re beginning to lose track of what we’ve been up to…so we thought we’d take this opportunity to do a quick roundup of our year and share some of our favourite moments here with you.