As of now, the GDPR has been in effect for four months. Many companies will have felt its impact as they have made (or are still making) an all-out effort to comply with all the new rules and guidelines. Governments in Europe who had not yet adopted laws to further implement the GDPR have been in a hurry to do so as soon as possible: Belgium just published theirs earlier this month.
In the meantime, individuals who feel their privacy has been violated can already lodge a complaint at the national data protection authority (DPA). DPAs are independent public authorities that can investigate complaints that they receive and issue fines when they discover a violation. The DPAs collaborate within the European Data Protection Board, which aims to harmonize the advisory and supervisory activities by the DPAs within the European Union as much as possible.
A huge amount of complaints, questions and data breach notifications
Since the GDPR came into force, the DPAs have been kept at work by the huge amount of complaints, questions and notifications of data breaches. Within one month, the Dutch DPA had received 600 complaints. The Belgian and Austrian DPAs received about two times as many complaints and notifications within the first month as they received in the whole year of 2017. In Germany, the DPA is presented with as many calls and e-mails in one day as they would normally receive in two weeks before the GDPR. It’s a lot to process for the European DPAs, especially as seventeen of twenty-four authorities who responded to a Reuters survey in May had already indicated that they did not yet have the necessary funds and manpower to effectively supervise the application of the GDPR. (There are 28 member states and national DPAs in the EU.)
Substantial fines, but not yet under GDPR
Even though the DPAs have powers to impose fines, it is estimated that it could be some time before we will see the first real GDPR fines. It usually takes authorities several months up to a few years to investigate a case. DPAs also prefer to cooperate with and educate companies rather than imposing fines or periodic penalty payments right away. The fines that have been issued by DPAs in the last few months were therefore issued under the old national privacy laws. The Dutch DPA, for instance, has issued periodic penalty payments against the Dutch police and a bank. In July, UK’s DPA fined Facebook 500,000 pounds for its part in the Cambridge Analytica scandal.
France and Spain have historically been quite strict in supervising the correct application of the French and Spanish privacy laws: the French DPA, CNIL, has issued multiple fines up to 250,000 euros in the past few months for data breaches and other violations, and the Spanish DPA has recently ratified the fine it imposed on Facebook and Whatsapp earlier this year in March.
Compared to the fines under the old privacy laws, the fines that will be levied under the GDPR could be much higher. An example: under the old Dutch privacy law, the maximum fine was 900,000 euros. Under the GDPR, this maximum is increased to 20,000,000 euros or 4% of worldwide turnover.
Pending investigations and cases
There are several large investigations under the GDPR that are pending at the moment. Max Schrems, an Austrian privacy activist, has lodged complaints against Google and Facebook at the French, Austrian, German and Belgian DPAs for billions of euros on the very first day the GDPR entered into force. At the same time, the Spanish DPA will look into a huge data breach at the telecommunications provider Telefonica in July.
Not only will it be interesting to follow the rulings of the DPAs on these complaints under the GDPR, one should also pay attention to several pending court cases relating to the GDPR and its interpretation. In the United Kingdom, British Airways faces a class-action lawsuit for a breach of the credit card payment details concerning approximately 380,000 plane tickets.
In a very different kind of case, ICANN (the organization responsible for domain name system management) is wondering whether it can still maintain their WHOIS database under the GDPR, which offers contact information of users who have registered a domain name. Some of the domain name registrars who have a contract with ICANN to deliver their user’s contact information, such as EPAG, have refused to do so in the light of the new privacy legislation. They claim it is illegal under the GDPR. ICANN has filed proceedings against registrar EPAG for breach of contract, saying: “EPAG’s position has identified a disagreement with ICANN and others as to how the GDPR should be interpreted. This lawsuit seeks to clarify that difference in interpretation.”
A lot has already happened around the GDPR in these last 4 months and there are several interesting investigations and court cases still pending that will be decided in the upcoming months. We will keep you updated!
This article was written by intern Eline Hangelbroek, in collaboration with Matthijs van Bergen.