Posted on May 25, 2021
The General Data Protection Regulation (GDPR) turns three years old on May 25th, 2021, so it’s an appropriate time to look at how it’s been enforced and some of its consequences. Most of the fines were for the kinds of breaches you might expect, but as we’ll see, some punishments were for what seems like very novel interpretations of the law. Predictably, big businesses have received substantial fines, but even small businesses and individuals have been hit too. Perhaps as you might expect for a law that covers 31 countries, there are substantial enforcement action inconsistencies between nations; more than you might expect from size and wealth differences (as a reminder, the GDPR applies to EU countries and several European countries not in the EU, most notably Iceland, Norway, and the UK).
Oddly, there’s no central European repository of enforcement actions and the publication of actions varies from country to country. However, several groups have collected data from government and press sources, and thanks to their efforts, we have a picture of how countries have applied the regulation over the last three years. I’ve taken data from www.enforcementtracker.com and several other sites for this analysis.
Let’s start by looking at how regulatory actions have changed over time and which European countries have been actively enforcing the regulation.
This chart shows the number of regulatory actions that counties have taken over time (as of the end of April 2021). Because there’s no central repository, the data is incomplete, and for a handful of known actions I don’t have complete dates, but even so, the chart shows a clear story.
(Regulatory actions, removing ‘duplicates’ and actions where the date is unknown, as of end April 2021.)
After the GDPR was enacted in 2018, the press speculated that there would be a honeymoon period to allow companies to adjust, and the data seems to bear that out. Enforcement increased sharply starting in 2019 and it’s obvious actions are increasing over time. It’s a reasonably safe bet this trend will continue into the future.
Looking at the country level, enforcement varies widely as I’ve shown in the chart below. Once again, data collection is more complicated than you might think, for example, the UK’s regulator often reports two actions for a single incident (enforcement and a monetary fine), which I’ve counted as one, and each of the 16 German states (Länder) have their own regulator reporting in their own way. Despite these complications, the chart clearly lays out inconsistencies between countries.
(Regulatory actions, removing ‘duplicates’, as of end April 2021.)
Of course, there could be several reasons why these stark differences exist: some regulators may be better funded or have more staff, corporate practices may differ between member states, and of course some countries may simply make it a priority to enforce the rules more than others.
To understand what’s going on, we need to look at the country level in more detail.
As we’ll see, it’s very apparent that countries each have their own particular concerns and they’re using the GDPR in different ways. Austria seems fascinated by video surveillance, the UK is going after unsolicited marketing calls, and Norway seems to be fining towns. Obviously, the big fines are eye-catching, but there are trends in cases. Let’s look at the big company fines, the odd cases, and some national trends.
Austria has had 10 enforcement actions over the last three years, half of which were against private individuals, and several of which involved video surveillance. In 2019, a kebab restaurant was fined €1,800 because their video surveillance system recorded more of a public area than it should. They appealed the fine, which the courts reduced to €1,500. In 2018 a private motorist was fined €300 for having two dashcams which recorded more of the public road than the courts thought reasonable. The same issue of video surveillance came up in several more enforcement actions against small businesses and individuals.
In Germany in 2018, a private individual sent several emails to 160 people with the email addresses visible to everyone. He was fined a very precise €2,628.50 and had to pay court costs too; maybe the lesson here is to use bcc.
More typically perhaps, one of the German regulators fined H&M €35 million for violating the privacy of their employees by recording details of illnesses and medical diagnoses for use in performance reviews. Bear in mind, the GDPR has particular protections in place for the use of health data with extra penalties for misuse.
Staying with the workforce theme, in 2021, notebooksbilliger.de was fined €10.4 million for video surveillance of its workforce and customers without permission.
Grindr has found themselves in hot water in Norway. The Norwegian regulator announced their intention to fine Grindr €10 million for unlawful sharing of personal data with third parties for marketing purposes. Grindr was hit hard because the GDPR contains special provisions protecting information on sexual orientation. At the time of writing, the punishment isn’t final and it may be reduced or even not levied. Aside from Grindr, Norway’s regulators have been actively enforcing the regulation against municipal governments, with six fines over the last three years (out of a total of twenty-five actions I can find).
On the theme of large fines for international companies, the usual suspects have been fined by regulators in different countries.
December 10th, 2020
€35 million fine for failing to obtain user consent for cookies and failing to disclose what cookies were used for.
December 1st, 2019
€51,000 fine for not appointing a data protection officer. (Facebook has been fined in different countries under non-GDPR law. There’s a large lawsuit currently in the works against Facebook.)
January 21st, 2019
€50 million for issues of consent and clarity on its use of advertising data
December 10th, 2020
€100 million for cookie privacy issues
March 11th, 2020
€7 million for a right-to-be-forgotten action
December 9th, 2020
Fined €450,000 for late disclosure of a data breach.
In Spain, the national football (soccer) league, La Liga, received a penalty of €250,000 for a spyware app. In Europe, bars and pubs pay fees to screen football matches, and unsurprisingly, some bars and pubs don’t want to pay. La Liga’s mobile phone app sampled the user’s microphone and their location. Using Shazam-like technology, it identified if the user was in a bar and if a match was playing. If a bar was screening a match and wasn’t paying, La Liga could enforce payment. Unfortunately for La Liga, they didn’t inform users and they didn’t get user consent, so they were fined.
I’m going to wrap up (or should I say, leave) with the UK. The UK’s regulator (the Information Commissioner's Office or ICO) has been unafraid to name-and-shame offenders and it has levied some large-scale fines.
An HIV clinic in London was fined £180,000 for an email newsletter where all 781 recipients were visible in the “to” field - the amount was high because the GDPR has extra penalties for offenses involving sexuality and/or health.
During the pandemic, ‘marketing’ companies were very active making unsolicited sales phone calls, texts, and emails. The ICO was equally busy punishing them for it. By my count, the ICO has fined 25 companies a total of about £4 million for unsolicited contacts. A typical case was CRDNN who was fined £500,000 (the maximum legal penalty) for making more than 193 million automated sales calls.
Some of the UK’s largest fines are noteworthy for the mechanism that led to the fine: vendors and their handling of data.
Although the UK is no longer part of the EU, it has adopted nearly identical legislation (the UK GDPR), but there has been some political commentary that the UK may change the law later in 2021. For now, the GDPR still applies in the UK.
GDPR enforcement has ramped up over the last few years and this trend is likely to continue into the future. Regulators have increased the size of fines and have been unafraid to act against the largest companies. At the other end of the spectrum, the willingness of regulators to punish individuals is surprising (watch your video cameras and emails). As some of the recent large fines point out, third-party risk management is likely to become more important. Companies have been fined for sharing data with their vendors, but they’ve also been held responsible and fined for breaches at their vendors. The lesson is clear: be careful who you share your data with and ensure they have adequate controls in place.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.