GDPR Anniversary Edition: Fines Dealt & Challenges Ahead

On 25th May 2019 it will be a year since the General Data Protection Regulation has been legally enforced by the European Union with a vision to safeguard the data of the citizens of the European Union.

The regulation allows citizens full control over the acquisition, process, retention or omission of their personal data, which in turn gives them complete control on how & to what extent they want to disclose their data to the business companies.

According to the French data protection agency CNIL’s Mathias Moulin, May 2018 to May 2019 has been a transition year for GDPR where several national data protection regulators finalized their rules & approaches towards GDPR compliances & decided to probe into the probable violations.

GDPR has been highly impactful in terms of sensitizing the organizations & the common masses at large about the value of data as a currency, to be leveraged only with the consent of the individuals to whom it belongs.

However, GDPR certainly has some visible loopholes. The most obvious one being that the law somehow has failed to impose fines on companies that have failed to adequately protect the customers' data – except for a few well-known industry giants, where the violations were too grave to be forgiven including Google, Facebook & Uber.

The challenges with GDPR have always been immense, majorly because the law has been the only one of its kind ever since its inception. The pre-GDPR world already had moved very far & fast in the direction of improving personalization for the customers & to optimize their experiences deriving data from Internet of Things (IoT) was a common practice. GDPR came as a renaissance for the marketers and compelled them to review their data protection, acquisition, processing, retention, and omission strategies.

The marketers across the world have just started acclimatizing to GDPR as the fines from failing to abide by the regulation are hefty which can amount up to €20 million or 4% of the global turnover of the company in any particular fiscal, whichever is greater. Majority of the firms across the globe were GDPR-phobic when it was launched but have now started reporting data breaches.

According to Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner's Office, the number of data breach reported in 2019 is expected to be approximately twice of those reported in 2018 (36,000 breaches expected in 2019, compared to roughly 18,000 to 20,000 reported in 2018).

Notable GDPR Non-Compliance Fines

1. Google witnessed the Highest Data Protection Fine Ever

The French Data Protection Authority, CNIL, fined the tech giant Google €50 million in January 2019 for violating the GDPR norms of obtaining consent that must be “granular, freely given, informed & must involve affirmative action”.

Google was fined because of its economic model that is dependent on ads & personalization. They violated GDPR guidelines “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalization”.

The penalty came as a result of complaints filed by two European pressure groups: None Of Your Business (NOYB) and La Quadrature du Net in May 2018.

The fine of €50 million, though largest till date, is still minimum for Google, as the maximum penalty would have been €4 billion if were calculated on the basis of the annual turnover of Google.

2. Chat app Knuddels fined €20,000 for Data Breach

In July 2018, the personal information of more than 3,30,000 users of the German social media platform Knuddels were hacked & compromised. The company discovered the breach in 2018 & reported the breach to the German Data Protection Authority, the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI).

The accounts of all the impacted users were immediately shut down. In November, the LfDI issued a fine of €20,000. LfDI also discovered that the company stored the password in plain text. The fine was minimal considering that it could have been somewhere close to €10 million if the company would have been fined 4% of its annual revenue.

LfDI however, commended Knuddels for their "extreme co-operation" & the steps that they took afterwards to improve the data security of their users

3. Digital Marketing Company Bisnode levied

On April 1, 2019, the Sweden Headquartered Digital marketing Company Bisnode, which has a location in Poland, was fined €220,000 by the Polish Data Protection Authority, the national Personal Data Protection Office (UODO) for violating obligations under article 14 of GDPR.

The fine has been imposed as a result of the business model of the company which relies on the processing of the scraped data, which they utilize for insights without individually taking the consent of the data subjects.

In addition to the fine, the company must separately send an email to 6 million people within the next three months which will incur an additional cost of €8 million.

Bisnode though has said that it will push the controversial privacy penalty of the apex court of Europe & the final verdict may impact the privacy model of businesses across the globe.

4. Equifax Fined for failing to protect Personal Information

The Information Commissioner's Office fined Equifax LTD with £500,000 for failing to protect the personal information of 15 million UK citizens.

5. Denmark’s Taxi Company Taxa 4x35 for Retaining Customer Data Without Consent

A fine of 1.2 million kroner ($180,000) was imposed by Denmark's Data Protection Authority (DPA) on the taxi company Taxa 4x35 for not deleting customers’ telephone numbers.

6. Other Penalties

• The fines during these early days of GDPR have been relatively lesser though as €4,500 for a CCTV system that was deemed excessive.

• Uber was fined a combined $1.7 million by British & Dutch Data Protection Authorities (CNIL, AP, ICO) in November 2018 for a 2016 Data Breach. For more than a year this information was kept hidden by Uber. In the US, the company paid an additional $150 million as part of a settlement in September 2018 for failing to notify 6,00,000 affected drivers of the breach. Since the breach occurred in a pre-GDPR era the fines were low but could have been as high as 4% of the annual turnover of the company (USD 120 billion).

• A shipping company was fined by Hessian DPA £5,000 for missing Data Processing Agreement.

• A report published by DLA Piper GDPR Data Breach Survey in Feb. 2019 mentioned that more than 59,000 instances of personal data breach were reported in Europe till Jan 2019 & 91 fines were enforced in total.

• Netherlands followed by Ireland & Denmark witnessed the highest number of breaches reported

Ongoing Probes

• Facebook under scanner for storing passwords insecurely

• Microsoft being probed for GDPR complaint data processing

• Rubrik may face penalties for leaking customer data

• Amazon is being probed by the European Union on the ways it uses data from the customers

• Google is being investigated for breaking EU privacy laws in 7 different cases

• British Airways can be fined $500 million for data breach

• Besides, EU authorities are also inquiring Twitter in certain cases, US tech giant Apple in 2 cases, Facebook in 7 different cases & Microsoft-owned LinkedIn in one case of GDPR violation

• Companies like Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax and Experian are under scanner for not completely disclosing the Data Protection & Intrusion documents

GDPR Implementation Challenges

a. Organizations need to hold themselves accountable for the secure processing of data throughout the customers’ buying cycle

b. Fines and Penalties are subjective and depend upon various factors including:

• Nature of infringement,
• Intention,
• Mitigation measures taken by the organizations,
• Preventive measures,
• History of organizations,
• How firms co-operate with the data protection authorities (dpas),
• The data type in question,
• The notification period for the breach,
• Whether or not the firms had adhered to approved code of conduct,
• Other aggravating or mitigation factors
• & The vulnerability of the data & the customers involved.

c. The organizations need to match up with the minimum transparency & information requirements to comply with GDPR.

d. The potential costs for Subject Assess Requests (SARs) & data portability has to be abided by the organizations.

e. Under Article 30 of GDPR, the organizations have to keep a track record of the data processing activities

f. The territorial limits of GDPR are blatantly defined & not clear in Article3 (2)

g. Mandatory Data Protection Impact Assessments are additional burdens for organizations

h. Articles 48 & 49 describing the cross-border data transfer are ambiguous

i. It still remains unclear how the European Data Protection Authorities will be able to impose fines against non-complaint nations

Conclusion

In a GDPR compliant age, it is mandatory for the companies to act in accordance with GDPR rules not only to avoid the hefty fines but also to captivate the trust of their customers, investors & marketplace at large. Though across the globe, GDPR is still a newbie that needs to metamorphose into full-fledged & implementation-based form & has many loopholes; abiding by its norms is not only the best possible form of prevention against the hackers but also ensures that marketers are safe from stressful & expensive penalties & their reputation is intact.
We, at Valasys Media, advise you to be on the safe side of the law and read in detail about how you can be GDPR Compliant. For more information feel free to contact us.