The General Data Protection Regulation (GDPR) turns three years old on May 25th, 2021, so it’s an appropriate time to look at how it’s been enforced and some of its consequences. Most of the fines were for the kinds of breaches you might expect, but as we’ll see, some punishments were for what seems like very novel interpretations of the law. Predictably, big businesses have received substantial fines, but even small businesses and individuals have been hit too. Perhaps as you might expect for a law that covers 31 countries, there are substantial enforcement action inconsistencies between nations; more than you might expect from size and wealth differences (as a reminder, the GDPR applies to EU countries and several European countries not in the EU, most notably Iceland, Norway, and the UK).
Oddly, there’s no central European repository of enforcement actions and the publication of actions varies from country to country. However, several groups have collected data from government and press sources, and thanks to their efforts, we have a picture of how countries have applied the regulation over the last three years. I’ve taken data from www.enforcementtracker.com and several other sites for this analysis.
Fines increasing over time
Let’s start by looking at how regulatory actions have changed over time and which European countries have been actively enforcing the regulation.
This chart shows the number of regulatory actions that counties have taken over time (as of the end of April 2021). Because there’s no central repository, the data is incomplete, and for a handful of known actions I don’t have complete dates, but even so, the chart shows a clear story.
(Regulatory actions, removing ‘duplicates’ and actions where the date is unknown, as of end April 2021.)
After the GDPR was enacted in 2018, the press speculated that there would be a honeymoon period to allow companies to adjust, and the data seems to bear that out. Enforcement increased sharply starting in 2019 and it’s obvious actions are increasing over time. It’s a reasonably safe bet this trend will continue into the future.
Looking at the country level, enforcement varies widely as I’ve shown in the chart below. Once again, data collection is more complicated than you might think, for example, the UK’s regulator often reports two actions for a single incident (enforcement and a monetary fine), which I’ve counted as one, and each of the 16 German states (Länder) have their own regulator reporting in their own way. Despite these complications, the chart clearly lays out inconsistencies between countries.
(Regulatory actions, removing ‘duplicates’, as of end April 2021.)
Of course, there could be several reasons why these stark differences exist: some regulators may be better funded or have more staff, corporate practices may differ between member states, and of course some countries may simply make it a priority to enforce the rules more than others.
To understand what’s going on, we need to look at the country level in more detail.
Notable cases by country
As we’ll see, it’s very apparent that countries each have their own particular concerns and they’re using the GDPR in different ways. Austria seems fascinated by video surveillance, the UK is going after unsolicited marketing calls, and Norway seems to be fining towns. Obviously, the big fines are eye-catching, but there are trends in cases. Let’s look at the big company fines, the odd cases, and some national trends.
Austria: video surveillance
Austria has had 10 enforcement actions over the last three years, half of which were against private individuals, and several of which involved video surveillance. In 2019, a kebab restaurant was fined €1,800 because their video surveillance system recorded more of a public area than it should. They appealed the fine, which the courts reduced to €1,500. In 2018 a private motorist was fined €300 for having two dashcams which recorded more of the public road than the courts thought reasonable. The same issue of video surveillance came up in several more enforcement actions against small businesses and individuals.
Germany: email and workforce surveillance
In Germany in 2018, a private individual sent several emails to 160 people with the email addresses visible to everyone. He was fined a very precise €2,628.50 and had to pay court costs too; maybe the lesson here is to use bcc.
More typically perhaps, one of the German regulators fined H&M €35 million for violating the privacy of their employees by recording details of illnesses and medical diagnoses for use in performance reviews. Bear in mind, the GDPR has particular protections in place for the use of health data with extra penalties for misuse.
Staying with the workforce theme, in 2021, notebooksbilliger.de was fined €10.4 million for video surveillance of its workforce and customers without permission.
Norway: Grindr and towns
Grindr has found themselves in hot water in Norway. The Norwegian regulator announced their intention to fine Grindr €10 million for unlawful sharing of personal data with third parties for marketing purposes. Grindr was hit hard because the GDPR contains special provisions protecting information on sexual orientation. At the time of writing, the punishment isn’t final and it may be reduced or even not levied. Aside from Grindr, Norway’s regulators have been actively enforcing the regulation against municipal governments, with six fines over the last three years (out of a total of twenty-five actions I can find).
France, Germany, Sweden, Ireland: Amazon, Facebook, Google, and Twitter
On the theme of large fines for international companies, the usual suspects have been fined by regulators in different countries.
Company | Country | Date | Overview |
Amazon | France | December 10th, 2020 | €35 million fine for failing to obtain user consent for cookies and failing to disclose what cookies were used for. |
Germany | December 1st, 2019 | €51,000 fine for not appointing a data protection officer. (Facebook has been fined in different countries under non-GDPR law. There’s a large lawsuit currently in the works against Facebook.) | |
France | January 21st, 2019 | €50 million for issues of consent and clarity on its use of advertising data | |
December 10th, 2020 | €100 million for cookie privacy issues | ||
Sweden | March 11th, 2020 | €7 million for a right-to-be-forgotten action | |
Ireland | December 9th, 2020 | Fined €450,000 for late disclosure of a data breach. |
Spain: football spying
In Spain, the national football (soccer) league, La Liga, received a penalty of €250,000 for a spyware app. In Europe, bars and pubs pay fees to screen football matches, and unsurprisingly, some bars and pubs don’t want to pay. La Liga’s mobile phone app sampled the user’s microphone and their location. Using Shazam-like technology, it identified if the user was in a bar and if a match was playing. If a bar was screening a match and wasn’t paying, La Liga could enforce payment. Unfortunately for La Liga, they didn’t inform users and they didn’t get user consent, so they were fined.
United Kingdom: unwanted calls and leaky vendors
I’m going to wrap up (or should I say, leave) with the UK. The UK’s regulator (the Information Commissioner’s Office or ICO) has been unafraid to name-and-shame offenders and it has levied some large-scale fines.
An HIV clinic in London was fined £180,000 for an email newsletter where all 781 recipients were visible in the “to” field – the amount was high because the GDPR has extra penalties for offenses involving sexuality and/or health.
During the pandemic, ‘marketing’ companies were very active making unsolicited sales phone calls, texts, and emails. The ICO was equally busy punishing them for it. By my count, the ICO has fined 25 companies a total of about £4 million for unsolicited contacts. A typical case was CRDNN who was fined £500,000 (the maximum legal penalty) for making more than 193 million automated sales calls.
Some of the UK’s largest fines are noteworthy for the mechanism that led to the fine: vendors and their handling of data.
- In 2020, the ICO fined British Airways (BA) £20 million for a data breach involving 400,000 of its customers. The breach occurred through their third-party cargo-handling vendor, Swissport. A hacker compromised the account of a Swissport employee, and using the compromised account, gained access to BA’s system, obtained privileged access, and breached some of BA’s customer data. BA wanted to shift the blame to Swissport, but the ICO still fined BA and not Swissport.
- Marriott was fined £18.4 million for a breach dating back to the Starwood hotel group they took over in 2016. Marriott didn’t find the breach during their M&A due diligence and didn’t discover it until 2018. Marriott blamed their IT contractor, Accenture, for not detecting the breach, but the ICO was unmoved and fined Marriott anyway.
- The story was similar at Ticketmaster who was fined £1.25 million for failing to secure their customer’s data. Ticketmaster attributed the fault to their contractor, Inbenta Technologies, but the ICO ultimately held Ticketmaster responsible for their vendor’s actions.
Although the UK is no longer part of the EU, it has adopted nearly identical legislation (the UK GDPR), but there has been some political commentary that the UK may change the law later in 2021. For now, the GDPR still applies in the UK.
Some thoughts for the future
GDPR enforcement has ramped up over the last few years and this trend is likely to continue into the future. Regulators have increased the size of fines and have been unafraid to act against the largest companies. At the other end of the spectrum, the willingness of regulators to punish individuals is surprising (watch your video cameras and emails). As some of the recent large fines point out, third-party risk management is likely to become more important. Companies have been fined for sharing data with their vendors, but they’ve also been held responsible and fined for breaches at their vendors. The lesson is clear: be careful who you share your data with and ensure they have adequate controls in place.