Better Compliance Through One Year of GDPR Enforcement
A little over one year has passed since the General Data Protection Regulation (GDPR or “Regulation”) came into effect. In that time, as expected, consumer complaints, administrative fines, and regulatory action have markedly increased. Trends in GDPR enforcement to date provide insight into the effectiveness and potential weaknesses of compliance strategies.
The GDPR, a privacy law that is in effect in the European Economic Area (EEA) (i.e., the European Union (EU) countries plus Iceland, Lichtenstein, and Norway), is rooted in the European view of privacy as a fundamental right.1 Accordingly, the GDPR takes an expansive approach to the protection of personal data and defines such data broadly, encompassing all information that relates to an identifiable natural person.2 Any processing, including collection, organization, storage, use, disclosure, and even deletion of data, similarly falls within the ambit of the Regulation.3 Perhaps most notably, the GDPR applies extraterritorially (even to companies established outside of the EEA)4 and imposes hefty fines for noncompliance (up to four percent of annual global turnover or €20,000,000, whichever is greater).5
Finding Clarity in Enforcement Trends
The post-GDPR landscape has been shrouded in uncertainty. In the first year, data protection authorities (DPAs) reported over 144,000 complaints and inquiries, as well as more than 89,000 data breaches, with nearly all DPAs reporting a significant increase in activity compared to 2017.6 As expected, France, Germany, Ireland, Spain, and the United Kingdom have been most active. The resulting enforcement actions provide insight on how DPAs intend to implement the GDPR moving forward,7 particularly with respect to extraterritorial enforcement, fines and other penalties, and the types of violations most likely to draw scrutiny.
The UK Information Commissioner’s Office (ICO) served its first enforcement notice8 in July 2018 on an obscure Canadian company, AggregateIQ (AIQ), which has links to the Brexit referendum and the 2016 U.S. presidential election. The ICO alleged that AIQ processed data without lawful basis, proper notice, or consent, which AIQ used to target individuals online with political advertisements. The ICO asserted jurisdiction based on AIQ’s collection of data from, and tracking of, individuals located in the UK. Although AIQ initially challenged the ICO’s jurisdiction, it ultimately complied, likely as a result of cooperation between Canadian regulatory bodies and the ICO, as well as the ICO’s narrowing of compliance requirements.9
In late 2018, the ICO determined that The Washington Post, a U.S.-based news organization, violated the GDPR because it did not offer a free method of disabling cookies, which track a user’s online activity. One either had to pay for membership or consent to cookies to access The Washington Post’s website.10 Despite the ICO’s execution of a memorandum of understanding with the Federal Trade Commission for mutual cooperation in investigating alleged privacy violations, the ICO merely issued a warning and reportedly acknowledged in a statement that “there is nothing more we can do in relation to this matter” should The Washington Post refuse to comply.11
Meanwhile, the European Data Protection Board (EDPB), the EU body in charge of the application of the GDPR, issued guidelines on the extraterritorial scope of the GDPR that discuss enforcement through representatives in the EU of companies not established in the EU.12 U.S.-based companies continue to watch for signs of the DPAs’ willingness or strategy for extraterritorial enforcement of the GDPR, but it is apparent that these efforts will largely depend on the seriousness of the violation and will rely, at least in part, on cooperation with local authorities.
Fines and Other Penalties
In the first nine months of the GDPR, fines imposed totaled €55,955,871.13 The bulk of this amount, however, consists of the French DPA’s (CNIL’s) €50,000,000 fine against Google for failing to comply with transparency obligations regarding data processing.14 This penalty is significantly higher than the €100,000 fine imposed on Google just two years earlier under the GDPR’s predecessor, the Data Protection Directive, for failing to delete data subjects’ information.15 Fines will likely continue to intensify in frequency and amount. Indeed, just in July 2019, the ICO issued notices of intention to fine Marriott and British Airways more than €109,000,000 and €202,000,000, respectively, relative to data breaches in late 2018.16
Headline-making fines tell only part of the story. Fines in the hundreds to tens of thousands of Euros have also been imposed, signaling that DPAs are just as interested in small companies and relatively minor infractions as they are in tech giants and large-scale violations.17 Although not as frequently publicized, DPAs have also ordered cessation of processing,18 various corrective actions,19 and prohibition of popular software (e.g., Microsoft Office 365),20 which for a business can have just as significant an impact as a substantial fine.
Effective Compliance: Learning from Guidance, Mistakes, and a Shifting Landscape
By June 2019, 73 percent of Europeans knew at least one of their rights under the GDPR;21 DPAs had identified issues of local concern;22 and the EDPB continued to issue guidance regularly. In April 2019, for example, the EDPB released 14 pages of guidance on Article 6(1)(b) alone, delineating the Regulation’s requirements with respect to contracts for online services.23 Companies have a tremendous opportunity to learn not only from formal guidance issued by DPAs and the EDPB, but also from the complaints that have been made by an increasingly aware populace, and from the mistakes of others caught in enforcement actions.
For instance, analysis of the past year’s enforcement actions reveals the types of violations that are the focus of consumers and DPAs. Ensuring a lawful basis for data processing and obtaining proper consent are primary concerns (see, e.g., CNIL’s groundbreaking €50,000,000 fine against Google this year for the company’s failure to obtain valid consent for targeted advertisements).24 Overall, 21 percent of the complaints filed in France related to digital marketing practices.25 In June 2019, the ICO warned the advertising technology industry that its practice of processing special categories of data (i.e., data concerning race, ethnicity, and sexual orientation, among others) without explicit consent violates the GDPR.26
Ensuring data subjects’ access to their data continues to be a high priority. In its third ongoing investigation of the corporate giant, the Irish DPA opened an inquiry into Apple’s responses to consumers’ Data Subject Requests.27 Similarly, in November 2018, the Dutch Ministry of Justice and Security questioned Microsoft’s data collection telemetry system in Office Pro Plus.28 A few months later, the European Data Protection Supervisor followed up with an inquiry into the contracts between Microsoft and EU institutions.29 The right of access is also at the core of a class action lawsuit filed against Google in a French administrative court, in which a consumer group alleges that Google’s “endless confidentiality rules” are “a veritable obstacle course” in violation of the GDPR.30
Data breaches remain a serious concern, as evidenced by the ICO’s recent notices stating its intention to fine Marriott and British Airways.31
It is clear that DPAs are carefully scrutinizing GDPR compliance efforts. Accordingly, it will not be enough to simply have some mechanism to obtain consent, to have some basis for data processing, or to employ the simplest data security measures. Companies instead should continuously reevaluate their compliance strategies to keep pace with an ever-shifting regulatory landscape. Indeed, the GDPR is here to stay, and many jurisdictions are quickly following with their own comprehensive data privacy laws.
Anna Mercado Clark is a partner in the New York City office of Phillips Lytle LLP. Dean A. Elwell, Phillips Lytle Summer Associate, assisted in the preparation of this article.
- Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, art. 1, 2016 O.J. (L 119) (EU), https://publications.europa.eu/en/publication-detail/-/publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1/language-en [hereinafter GDPR]; Decision of the EEA Joint Committee amending Annex XI (Electronic communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in Article 101) to the EEA Agreement, 2018 O.J., (L 183/23) (EEA), https://www.efta.int/sites/default/files/documents/legal-texts/eea/other-legal-documents/adopted-joint-committee-decisions/2018%20-%20English/154-2018.pdf.
- GDPR, supra note 1, art. 4(1).
- Id. art. 4(2).
- Id. art. 3(1), (2).
- Id. art. 83.
- Eur. Data Prot. Bd., 1 Year GDPR—Taking Stock (May 22, 2019), https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en; Eur. Data Prot. Supervisor, Annual Report 2017 (Mar. 19, 2018), https://edps.europa.eu/sites/edp/files/publication/18-03-15_annual_report_2017_en.pdf.
- The GDPR is widely expected to largely continue to apply in the UK even after Brexit.
- U.K. Info. Comm’r’s Off., Enforcement Notice to AggregateIQ Data Services Ltd (July 6, 2018), https://ico.org.uk/media/2259362/r-letter-ico-to-aiq-060718.pdf.
- U.K. Info. Comm’r’s Off., Enforcement Notice to AggregateIQ Data Services Ltd (Oct. 24, 2018), https://ico.org.uk/media/action-weve-taken/enforcement-notices/2260123/aggregate-iq-en-20181024.pdf; see U.K. Info. Comm’r’s Off., Report to Parliament, Investigation into the use of data analytics in political campaigns, at 42, 52 (Nov. 6, 2018), https://ico.org.uk/media/action-weve-taken/2260271/investigation-into-the-use-of-data-analytics-in-political-campaigns-final-20181105.pdf; Canada, House of Commons, Standing Committee on Access to Information, Privacy and Ethics, Addressing Digital Privacy Vulnerabilities and Potential Threats to Canada’s Democratic Electoral Process, 42nd Parl., 1st Sess., Ethics Rep. No 16, at 24 (June 2018), https://www.ourcommons.ca/Content/Committee/421/ETHI/Reports/RP9932875/ethirp16/ethirp16-e.pdf.
- Email from U.K. Info. Comm’r’s Off. to WP Company LLC (Oct. 11, 2018), https://mega.nz/#!mkISAIrb!xrior2Ffk7C_ILuNTqa9uPhuzMYPUjU19FSwfZTFrqM; see Rebecca Hill, Washington Post Offers Invalid Cookie Consent Under EU Rules – ICO, The Register (Nov. 19, 2018), https://www.theregister.co.uk/2018/11/19/ico_washington_post.
- Hill, supra note 10.
- Eur. Data Prot. Bd., Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), at 19 (Nov. 16, 2018), https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_3_2018_territorial_scope_en.pdf.
- Eur. Data Prot. Bd., First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities, at 13 (Feb. 26, 2019), http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf.
- Commission Nationale de l’Informatique et des Libertés, The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC (Jan. 21, 2019), https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc.
- Ct. of Just. of the Eur. Union Press Release No 2/19, Advocate General Szpunar Proposes that the Court Should Limit the Scope of the Dereferencing that Search Engine Operators Are Required to Carry Out to the EU (Jan. 10, 2019), https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-01/cp190002en.pdf.
- U.K. Info. Comm’r’s Off., Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach (July 9, 2019), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach; U.K. Info. Comm’r’s Off., Intention to fine British Airways £183.39m under GDPR for data breach (July 8, 2019), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways.
- See, e.g., First GDPR Fine in Bulgaria, GDPRToolkit (Feb. 20, 2019), https://gdprtoolkit.eu/first-gdpr-fine-in-bulgaria (511 Euros imposed by Bulgarian DPA for failing to delete data upon request); Eur. Data Prot. Bd. Press Release, First Austrian Fine: CCTV Coverage – Summary (Sept. 12, 2018), https://edpb.europa.eu/news/national-news/2018/first-austrian-fine-cctv-coverage-summary_en (5,280 Euros imposed by Austrian DPA on a sports betting café for expansive use of CCTV surveillance).
- See, e.g., U.K. Info. Comm’r’s Off., Enforcement Notice to AggregateIQ Data Services Ltd (Oct. 24, 2018), supra note 9.
- LaLiga, the Spanish soccer league, was fined and asked to correct violations, including modifying its application so that LaLiga could not remotely use the microphone and GPS functions of fans’ phones to record their surroundings in an effort to identify illegal streaming of its matches. See Natasha Lomas, LaLiga Fined $280K for Soccer App’s Privacy-Violating Spy Mode, TechCrunch (June 12, 2019), https://techcrunch.com/2019/06/12/laliga-fined-280k-for-soccer-apps-privacy-violating-spy-mode. Teemo, a location-based advertising platform, was given three months to change its method of obtaining consent and providing information to data subjects regarding processing after CNIL found that both violated the GDPR. Commission Nationale de l’Informatique et des Libertés, Decision No MED-2018-022 (June 25, 2018), https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037217051.
- Press Release, Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Statement by the Hessian Commissioner for Data Protection and Freedom of Information on the Use of Microsoft Office 365 in Hessian Schools (July 7, 2019), https://datenschutz.hessen.de/pressemitteilungen/stellungnahme-des-hessischen-beauftragten-f%C3%BCr-datenschutz-und (German DPA prohibited use of Microsoft Office 365 in schools because it exposes personal data to possible access by “U.S. officials”).
- Eur. Comm’n Press Release IP/19/2956, Data Protection Regulation One Year On: 73% of Europeans Have Heard of at Least One of Their Rights (June 13, 2019), http://europa.eu/rapid/press-release_IP-19-2956_en.htm?locale=en.
- Commission Nationale de l’Informatique et des Libertés, Presentation of the 2018 Activity report and 2019 issues of the French Data protection authority (Apr. 15, 2019), https://www.cnil.fr/en/presentation-2018-activity-report-and-2019-issues-french-data-protection-authority; Republic of Bulgaria, Commission for Personal Data Protection, Annual Activity Report of the Commission for Personal Data Protection for 2018, at 27 (Jan. 28, 2019), https://www.cpdp.bg/en/index.php?p=element&aid=1181.
- Eur. Data Prot. Bd., Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (Apr. 9, 2019), https://edpb.europa.eu/sites/edpb/files/consultation/edpb_draft_guidelines-art_6-1-b-final_public_consultation_version_en.pdf.
- Commission Nationale de l’Informatique et des Libertés, The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC, supra note 14.
- Commission Nationale de l’Informatique et des Libertés, Presentation of the 2018 Activity Report and the CNIL 2019 issues (Apr. 15, 2019), https://www.cnil.fr/fr/presentation-du-rapport-dactivite-2018-et-des-enjeux-2019-de-la-cnil.
- U.K. Info. Comm’r’s Off., Update report into adtech and real time bidding (June 20, 2019), https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf; GDPR, supra note 1, art. 9.
- Padraic Halpin, Irish Regulator Opens Third Privacy Probe into Apple, Reuters (July 2, 2019), https://www.reuters.com/article/us-apple-dataprotection/irish-regulator-opens-third-privacy-probe-into-apple-idUSKCN1TX21V; see GDPR, supra note 1, art. 15–21.
- Rijksoverheid, Data Protection Impact Assessment on Microsoft Office (Nov. 7, 2018), https://www.rijksoverheid.nl/documenten/rapporten/2018/11/07/data-protection-impact-assessment-op-microsoft-office; see Daniel Lippman, Microsoft To Update Office Pro Plus After Dutch Ministry Questions Privacy, Politico (Feb. 8, 2019), https://www.politico.eu/article/microsoft-to-update-office-pro-plus-after-dutch-ministry-questions-privacy.
- Eur. Data Prot. Supervisor Press Release, EDPS Investigates Contractual Agreements Concerning Software Used by EU Institutions (Apr. 8, 2019), https://edps.europa.eu/press-publications/press-news/press-releases/2019/edps-investigates-contractual-agreements_en.
- Assoc. Press, French lawsuit accuses Google of violating EU privacy rules (June 26, 2019), https://www.apnews.com/dd72d3e691094bada612fa5ec09a8a8c; Agence France Presse English Wire, French consumer group launches class action against Google (June 26, 2019), https://www.france24.com/en/20190626-french-consumer-group-launches-class-action-against-google.
- Supra, note 16.