Business

Policy

Year 1 of GDPR: Over 200,000 cases reported, firms fined €56 meeelli... Oh, that's mostly Google

2019 just a transition year, says French watchdog

By Rebecca Hill

27 SHARE

European data protection agencies have issued fines totalling €56m for GDPR breaches since it was enforced last May, from more than 200,000 reported cases – but watchdogs have said they're just warming up.

An assessment from the European Data Protection Board (EDPB), which is made up of regulators across the region, found that, in the first nine months, there were 206,326 cases reported under the new law from the supervisory authorities in the 31 countries in the European Economic Area.

Vivienne Artz, chief privacy officer of market data purveyor Refinitiv, cited the report (PDF), published at the end of February, at a panel event assessing the first year of GDPR at a data protection conference in London this week run by the International Association of Privacy Professionals.

About 65,000 were initiated on the basis of a data breach report by a data controller, while about 95,000 were complaints. Some 52 per cent of the overall cases have already been closed, with 1 per cent facing a challenge in national courts.

Artz said that the total fines came to €55.96m – which she observed seemed like a lot before you realise that almost all of it comes from French data watchdog CNIL's €50m fine for Google.

Indeed, the figure emphasises the size of CNIL's fine – which was the first it had handed out under GDPR – and the body's director of the rights protection and sanctions directorate, Mathias Moulin, was on the panel to set out its reasoning.

He said the breach was "massive and highly intrusive", and that the fine had been based on five factors. These included the type of violation, its scale – it was continuous, rather than a one-off, and affected lots of people and massive amounts of data – and the size of the company.

But given the huge range of potential fines – which has risen from "up to £500,000" (in the UK) to "up to" €20m or 4 per cent of annual turnover – the EDPB has also tasked data protection agencies with "harmonising" their approaches.

At the event, Stephen Eckersley from the UK Information Commissioner's Office revealed that his organisation was working with the data protection agencies in the Netherlands and Norway to establish a "matrix" for calculating fines. This won't be public-facing, he said, but will instead be a "toolkit" for watchdogs.

As for the ICO's enforcement actions, he said that there were some GDPR cases in progress, but that the past year had been mostly focused on legacy investigations, with fines handed to Uber, Facebook and Equifax.

Even CNIL's Moulin, said that last year "should be considered a transition year" for GDPR, as national regulators had to focus on finalising their rules and approaches, and spent most of their time tying up probes under the previous regime.

One thing that did change immediately under GDPR, if not the fines, was the number of incident reports. This was particularly so for companies turning themselves in over data breaches.

Eckersley said there was a "massive increase" in reports of data breaches in the first month at 1,700. This has levelled out a little, but there are still about 400 coming in a month. Overall, he expects the total to reach about 36,000 this year – up from 18,000 to 20,000 previously.

In order to deal with the increased demand – and organisations' propensity to report "just in case" – the ICO has set up a dedicated team for personal data breaches, so data controllers have a single point of contact to help them assess whether to make a formal notification.

The panel also noted that, while data breaches are more likely to hit the headlines, there are many more complaints coming in about other aspects of privacy regulations. For instance, Eckersley said that about half of the complaints relate to the way subject access requests have been handled. ®

Sign up to our NewsletterGet IT in your inbox daily

27 Comments

More from The Register

Talk about unintended consequences: GDPR is an identity thief's dream ticket to Europeans' data

Black Hat Revenge plan morphs into data leak discovery

Marketing biz bares folks' data in the act of asking for their GDPR comms preferences

Sprint Education plugged digit-diddling URL snafu quickly

UK watchdog fined firms £3m for data breaches last year – before its GDPR balls dropped

They'll never be so low again. Ask Marriott and British Airways

Colour us shocked: Google in €50m GDPR fine appeal bombshell

Didn't see that coming

Struggling with GDPR compliance? Don't waste money on legal advice: Buy a shredder

Oh, and this visitor book. How about a £60 cardboard bin?

What's in a name? Quite a bit when it's the most hated abbreviation of 2018 (GDPR, of course)

Marketing biz decides 'GD PR' was getting it noticed in all the wrong ways

Brave urges UK's data watchdog to join Ireland in probing claim Google adtech breaches GDPR

Privacy browser reckons personalised advertising = personal data processing

Own goal: $280,000 GDPR fine for soccer app that snooped on fans' phone mics to snare pub telly pirates

La Liga says privacy watchdog is Barca-ing up the wrong tree

Oops! Almost a year in and ICO staff haven't been handed a GDPR privacy notice yet

Data watchdog: All our staffers are 'aware' of policies...

Reports of cyber attacks fall, says UK.gov survey: GDPR? Fewer nasties? More targeted attacks? We just don't know

'Cyber stuff is still happening and some businesses are taking it more seriously'