Photo: GDPR by Marco Verch under Creative Commons 2.0
22 January 2020 | By Michael Thaidigsmann
Data Protection
GDPR: ‘Years away from legal certainty’ as breach notifications keep rising
EU Justice Commissioner Didier Reynders has said no statistic was available as of yet concerning the fines that have so far been imposed across the EU for breaches of the GDPR. However, the number of complaints about potential infringements keeps rising, a study has found. Many companies and organisations are still believed not to be fully GDPR-compliant.
According to a report by the German news magazine ‘Der Spiegel’, Brussels does not (yet) have a clear picture on how the General Data Protection Regulation (GDPR) is being enforced by individual EU member states. The GDPR went into effect on 25 May 2018 and is due for an initial assessment by the European Commission in May 2020.
In response to a question posed by the German MEP Moritz Körner, Justice Commissioner Didier Reynders wrote that the Commission had so far been unable to get an overview over the number and amount of fines imposed under the regulation because some member states had not yet sent any figures to Brussels.
Reynders told the MEP that he had asked the European Data Protection Board, on which the heads of national data protection authorities are represented, to provide him with a “systematic and structured overview about these fines” – so far to no avail.
Growing number of reports of data breaches
Meanwhile, an estimated 160,000 reports concerning possible infringements of data protection rules were made since May 2018 across the EU, according to the latest survey of the law firm DLA Piper. That figure keeps rising, with an average of 278 notifications under the GDPR recorded every day recently. In the first eight months following the entering into force of the regulation, the daily number recorded was 247.
From the 27 countries that provided data to DLA Piper on breach notifications, the UK, Germany and France ranked thirteenth, eleventh and twenty-third respectively on a reported fine per capita basis. Italy, Romania and Greece reported the fewest number of breaches per capita. In Italy, which has 62 million inhabitants, has so far only recorded 1886 data breach notifications.
The same survey found that so far, a total of €114 million has been imposed in fines for GDPR infringements by the national data protection authorities of the 28 EU member countries. This includes a record €50 million fine slapped on Google by the French CNIL authority for a lack of transparency and consent.
Under the EU rules applicable directly in member states, companies can be fined up to four per cent of their annual turnover if they are been found to infringe GDPR rules. The sum of the fines so far imposed appears relatively low, but according to experts, it may well rise fast in the coming months and years, as could the number of complaints and increased activity by data protection authorities.
Patrick Van Eecke, chair of DLA Piper’s international data protection practice, said: “The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated, and you will get two different answers. We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years.”
Following two high profile data breaches, the British regulator ICO published notices of intent in July 2019 to impose new record-breaking fines totalling 282 million pounds Sterling (€329 million). Neither of these have been finalised yet, though. The UK will leave the European Union as a member state on 31 January, however, the GDPR will remain in force, at least during the transition period.
German official: ‘Enough time given to comply’
Although the regulation has been a hot topic for a number of years now, many companies are still not fully compliant.
Germany’s Federal Data Protection Commissioner Ulrich Kelber told “In-House Legal” that „companies have had four years to adapt their processes. I don’t have the impression that companies and organisations have fundamental deficits in applying the GDPR. Of course, I know that sometimes new questions on data protection are popping up, but I advise companies and organisations to try and resolve these problems quickly and together with the competent supervisory authority.”