It's been three months since the introduction of the European Union's much-heralded General Data Protection Regulation, which gives the bloc's regulators unprecedented power to sanction companies for abusing Europeans' privacy rights. Thousands of complaints were made in the first month of the GDPR's existence, so why haven't we seen a wave of GDPR fines yet?
The simple answer, according to data protection authorities and rights groups, is that it's too soon.
"We are dealing with the first GDPR cases but it’s too early to speculate about fines or processing bans at this stage," said a spokesperson for the U.K.'s Information Commissioner's Office. And here's France's CNIL: "The complaints brought before the CNIL in relation to the GDPR are currently in a trial phase and we do not know yet when the CNIL will deliver its decisions."
"Datainspektionen has not issued any fines so far," said Josefine Paulie, a legal advisor at the Swedish DPA. "I can unfortunately not say when we will issue fines."
But that doesn't mean there's been no action since May 25. At least one DPA — the Unabhängiges Landeszentrum für Datenschutz (ULD) in the German state of Schleswig-Holstein — has already used the new legal regime to stop companies from processing personal data.
"We have already issued such bans on processing, [for example] in the case of webcams on the internet that failed to comply with data protection law," the ULD's Marit Hansen said. "To be fair, these cases began before May 25, but since then we received additional complaints. The legal assessment prior and after May 25 was the same – only the numbering of the legal provisions in the German Data Protection Act had changed. But before May 25, we couldn't use that instrument to limit [or] ban the data processing."
The Schleswig-Holstein DPA explained that the webcam cases involved the streaming of scenes such as beaches and harbors that did not exclude identifiable people. The providers claimed the streams had a legitimate purpose — tourism promotion — but "the touristic purposes could be met without showing identifiable people by a different setting of the webcam: a slightly different angle and image clipping so that people are not in the front of the picture, [for example] when they put on their bathing suits."
The ULD showed the webcam operators how they could continue streaming legally, but they didn't change the cameras' settings, instead stopping the streams in order to comply with the regulator's demands.
The ICO also pointed out that sanctions aren't the only powers that DPAs now wield in order to change companies' behavior. "The ability to issue larger fines is just one part of the new legislation," the British DPA's spokesperson said. "We have already started to use our powers of assessment and audit in order to begin looking at certain organization’s data protection practices.
So what about the most high-profile cases, such as those launched against the likes of Google, Facebook and Amazon right at the start of the GDPR era? There, everyone will just need to be patient. Very patient.
The ULD's Hansen laid out the likely timeline for a straightforward, "perfectly prepared" complaint about a clear GDPR violation, made on May 25 to the correct DPA about a company that clearly lists the details of the right contact. The DPA would likely ask the data controller for its own side of the story, usually in a written hearing.
"It will take about one month before a response will be received," she said. "If there is no response, a reminder will be sent out (taking another month). In case lawyers are involved, they often ask for more time."
In a "quick case," the DPA might then close the investigation — or it might ask for further clarification. Then it would issue a draft assessment, asking for the controller's comments. Another month right there, and that's not taking into account the efforts that DPAs will make to ensure that their administrative orders are "court-proof."
"For clear and simple cases, it will take some months before a fine will be issued. For other cases (the majority) it will take longer," said Hansen. "This is comparable with state [prosecutions] where in Germany a case may take more than a year … Also, some of the infringements can only happen after some time, [for example] if there is no responsive for an access request where data subjects may have to wait a month."
In short, Hansen said, six months for the issuing of the first GDPR fines "would be quick," and that's just for the simpler cases. In larger cases, she warned, one has to take into account the complexities of cross-border cooperation, the relative inexperience of DPA staff in handling court cases (compared with companies' lawyers), and the fact that judges will have limited case law to go on as they make their decisions.
So what do digital rights and consumer advocacy groups make of the slow, methodical nature of the sanctioning process, and do they expect to see DPAs make a splash with high-profile fines that require a lot of preparation, before dealing with lower-profile violations?
"It is simply too soon to tell," said a spokesperson for BEUC, the European consumer organization. "We intend to monitor what the DPAs will do."
Joe McNamee, the executive director of European Digital Rights, said DPAs should be using the "full weight of the law" against large-scale abuses, but "a more gentle pedagogical approach would be appropriate where the breach is neither egregious nor willful. If [DPAs] don't have the resources to pursue both lines at the same time, the Commission should take action," McNamee said.
If you want to comment on this post, you need to login.