The GDPR in action!!
7 February 2019 (Brussels, Belgium) — In the heat of Legalweek/Legaltech in New York last week, we missed the first report by the European Commission on various actions taken post-GDPR enactment, plus an update of Cisco’s Data Privacy Benchmark Study, along with the DLA Piper GDPR study. I spent the past weekend reviewing them … so you don’t need to (with a big hat tip to my staff for its assistance, plus Serge Long at IAPP).
Some highlights:
- More than 59,000 data breach notifications have been reported to Data Protection Authorities (DPAs) across Europe by both public and privately-owned organizations since EU’s GDPR was passed on May 25, 2018.
- The Netherlands, Germany and the UK lead the rankings with roughly 15,400, 12,600, and 10,600 reported breaches respectively, as detailed in a report published by the DLA Piper global law firm, while companies from Liechtenstein, Iceland, and Cyprus reported 5, 25 and 35 breaches respectively.
- While the European Commission Statement (issued on January 25th) stated that companies reported 41,502 data breaches since the GDPR enactment, these results were “based only on the voluntary contributions of 21 (out of 28 EU Member States) data protection regulators” says DLA Piper.
- Taken all together, IAPP calculates that there have been 59,430 reported data breaches over the period across Europe.
- The biggie: Google was slapped with a record €50 million fine. 91 fines have been imposed until now under the rules of the GDPR across the EU, but it is worth mentioning that not all of them are related to breaches of personal data. Out of the ones who aren’t connected to personal data breaches, Google’s was the highest GDPR penalty ever and it was issued by the French Commission Nationale de l’informatique et des Libertés (CNIL) on January 21 for not obtaining user consent for processing data for ads personalization purposes and for violating transparency and information obligations.
- While there are no other fines on the same level as the on Google was slapped with recently, the DLA Piper report says that DPAs all over EU were quite busy with:
- a €20,000 fine was imposed on a company for failing to hash employee passwords, resulting in a security breach
- a €80,000 fine in January 2019 for publishing health data on the internet
- a €4,800 fine issued in Austria for the operation of an unlawful CCTV system which was deemed excessive for its partial surveillance of a public sidewalk.
- Cyprus also reported four fines, with a total value of €11,500
- Malta reported a total of 17 fines, a surprisingly large number given the relatively small size of the country
- While not all data breach notifications and user complaints end up with a fine, the fact that the GDPR has led to big tech companies being held responsible for their lack of interest in protecting the personal data and privacy of EU citizens is definitely the result EU residents were hoping for.
- YouTube is currently the target of a GDPR complaint filed by Max Schrem’s NGO called NOYB for “right to access” violations under GDPR’s Article 15, with a possible maximum penalty that could reach €3.87 Billion. Note: Apple, Amazon, Netflix, Spotify, SoundCloud, Flimmit, and DAZN are also being targeted by GDPR complaints about the same reasons.
- During November 2018, Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax, and Experian were also subjects of a GDPR complaint filed by Privacy International for illegally collecting the data of millions to create user profiles.
- And a final note: it is important to mention that the GDPR also overhauled data security after being passed, since companies which closely conform to its provisions experience benefits such as lower frequency and effect of data breaches, fewer records being impacted by the attacks, as well as shorter downtimes, and lower overall costs, all as reported by Cisco in its Data Privacy Benchmark Study.