Over the weekend, the GDPR celebrated its first birthday, presumably by blowing out a single candle on a cake made entirely of ABOUT COOKIES ON THIS SITE webpage overlays. The General Data Protection Regulation came into force on May 25, 2018, and promised to be a milestone in Internet user privacy and data awareness. For end users, though, it’s mostly seemed to mean a lot more “I agree” buttons to click and “Yes, you can really send me emails, that’s literally why I’m signing up for this email newsletter in the first place” checkboxes.
The employment law firm Ius Laboris has assembled data from across the European Union on how, exactly, the GDPR has been enforced in that year. Companies, including publishers, spent a lot of money getting GDPR compliant in order to avoid the huge fines the new regulations allowed — up to 20 million euros of 4 percent of a corporation’s entire global revenue.
So how has it been enforced so far? Not all that much.
Ius Laboris has country reports from 25 of the 28 EU states (sorry, Estonia, Malta, and Romania) and the summaries are worth reading if you’re into this sort of thing — but here are a few of the highlights.
In some cases, that’s an issue of delay: Each country has to embed the GDPR into its own national laws, and some have been slower than others in doing so — as well as the obligatory follow-up actions of appointing the people who’ll make the decisions and so on. But others appear to have just taken a lighter approach to enforcement, preferring sending legal nastygrams to companies that appear to be on the wrong side of the law.
(And in a few cases it’s theoretically possible that Ius Laboris missed a fine, such as in Germany, where they’re handled by individual state authorities rather than a federal entity.)
Lithuania fined “the electronic money institution MisterTango” 61,500 euros for, among other things, failure to disclose a data security incident.
The Netherlands had only one fine, but it was a biggie: 600,000 euros for Uber, also for not reporting a security breach. (Uber has also faced a 400,000 fine from France and a negative ruling from authorities in Greece.)
One of Poland’s two fines went to “a sports association for failing to delete judges’ data effectively.” One of Portugal’s four was 400,000 euros for a hospital that gave staff “indiscriminate access…to patients’ data.”
While Denmark hasn’t issued any fines yet, its first is currently in the pipeline, for a taxi company found to be storing 9 million riders’ phone numbers.
Hungary has issued a number of fines of about HUF 1 million (around 3,000 euros), including to a credit management company that didn’t delete a user’s phone number after being asked and to a company that deleted camera recordings a person had wanted to use as evidence in a legal proceeding.
Germany has issued 75 fines under the GDPR, though they total only 449,000 euros between them. (The largest was 80,000 euros.) Also fun: The German law implementing GDPR is known as the Bundesdatenschutzgesetz.
Meanwhile, Paris has levied by far the largest fine under the GDPR: 50 million euros on Google for a panoply of different data privacy issues around targeted advertising. That fine alone makes up nearly 90 percent of all fines issued in GDPR’s first year, which add up to about 56 million euros.
France has also had a number of other large fines: 250,000 euros for Bouygues Telecom, 400,000 euros for Uber, 50,000 euros for Dailymotion, and 250,000 euros for something called Optical Center, “all relating to a lack of technical measures securing client data.”
As far as I am aware — and based to Ius Laboris’ findings — no publishers have faced a GDPR fine. (Speak up if you know differently.)
Of course, a regulation shouldn’t be judged purely on how many fines it hands out. A number of investigations — particularly in Ireland, where many American tech companies officially homestead their user data — will likely bear fruit in a future season. All the work that went into GDPR compliance no doubt prevented any number of violations from happening and forced companies to reevaluate core questions about how they store and process user data.
But for those for whom it was the threat of bajillion-dollar fines that got them interested in the GDPR — that doesn’t appear to have come to pass. Yet. (Unless you work at 1600 Amphitheatre Parkway in Mountain View.)