GDPR 2019 – 2020 Road from implementation to enforcement (January 2020)
Since the introduction of the General Data Protection Regulation (“GDPR”) in May 2018, a lot has happened and companies all over Europe and the world have dealt with the issues that the new regulation has brought with it. From the data protection specialists’ point of view, it has been a time of progress since the general awareness of issues around data protection has increased on a management level but also in the general public. Directly, after the introduction of the GDPR in May 2018, there were no or only liberal enforcement measures. The dust had settled a little bit on these issues and companies were granted unspoken grace periods by the European authorities. This period of implementation and orientation for companies and the authorities seems, however, to have come to an end. We are now entering into an “era of the GDPR enforcement”.
Here is a look back at the story so far:
The first fines in the EU
The German authorities have been rather slow in adopting their enforcement strategy, although they were considered to be one of the main drivers of the strict parts of the regulation. Accordingly, the first major fines issued under the GDPR came from different member states:
- Portugal: fine of approximately EUR 500,000.00 for data breach incident in hospital;
- United Kingdom: EUR 180 million fine levelled against British Airway by the Information Commissioner’s Office, (“ICO“) for “insufficient“ security measures regarding customer data and the hotel chain Marriott faced a fine in the amount of EUR 115 million because its guest records were being exposed;
According to these examples, two major areas of fines can be identified:
- The first being cases of data breaches, which were potentially causing harm to data subjects,
- The second one being transparency issues in customer facing B2C products that heavily rely on personal data.
German Data Protection Authorities make a plan
In September of 2019, the German data protection authorities were finally ready to start their enforcement measures too. They did so by first issuing a concept paper that outlined the calculation of fines that were going to be levelled against data controllers for violating their obligations under Art. 83 GDPR. The principles established by the Conference of the Data Protection Authorities of the Federal Government and the Länder (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, “DSK”) are as follows:
- Step 1: Categorization of the offending company according to its annual turnover.
- Step 2: Determination of the offending company’s precise average annual turnover:
- Step 3: Determination of the company’s economic base value by dividing the average annual turnover of company (see Step 2) in 360 days.
- Step 4: Determination of a factor for the severity of the violation according to the criteria set forth in Art. 83 (2) GDPR and multiplication of the economic base value with this factor.
- Step 5: Adjustment of the result, taking into account any additional circumstances, e.g. an excessive duration of the proceedings, the company’s imminent insolvency, or other special personal characteristics of the offending company. This will be the hardest criteria to pre-determine for companies as it depends on the circumstances of the individual case.
Already at this stage, many critics feared that the very strict guidelines on fines could lead to much higher fines that data controllers were accustomed to expect under the old data protection regime in Germany (For more information, see here).
The first fines in Germany
In November 2019, the Berlin data protection authority issued a EUR 14.5 million fine against Deutsche Wohnen, due to their lack of a sufficient data retention policy and implementation. In a nutshell, the company did not take sufficient action to ensure that personal data, which was no longer accurate was deleted from their systems (please also see our summary and an interview by one of our experts).
The second big fine was issued against the telecommunications company 1&1 to the amount of EUR 9.5 million. The reason for this fine was the organisational setup of the customer support hotline of the company. The company hotline was set up in a way that customers were only required to give their full name and a date of birth to gain access to all related contracts. The responsible federal data protection agency in Germany found that this set- up did not protect the data subjects to the extent necessary.
Outlook for 2020
These fines indicate that enforcement measures in Germany and throughout the European Union have significantly picked up in the course of the year 2019.
For the year 2020, we expect no less. Very likely a series of big fines under the GDPR in Germany and throughout the EU will follow. The data protection authorities seem to have an agenda, whereby they want to issue fines for non-compliance at this stage, in order to set examples and ensure overall good enforcement of the regulation. At the same time, we see an uptake in litigation surrounding such fines. Both fines – based on the new Model DSK Model – in Germany for Deutsche Wohnen and 1&1 are going to be attacked in the court system. The same will most likely be true for future fines in the same magnitude class. This litigation against fines may curb the data protection authorities’ enthusiasm regarding big fines in the midterm future. However, at least for the year of 2020 and most likely also for 2021, the “wave” of enforcement and big fines will continue. For companies, which are subject to the GDPR, this means that a couple of steps are recommended.
- First of all, management has to have a clear picture of what data processing looks like in the respective company, if this has not yet been done.
- Secondly, companies have to get on track with improving data protection compliance throughout all parts of the company.
- Thirdly, companies need to set up defence strategies in advance of potential litigation in order to more effectively convert fines or preliminary actions by the data protection authorities.