Nearly three years into the EU's General Data Protection Regulation (GDPR) fines are finally starting to grow, albeit slowly.
The same is true in the U.S. Without a federal privacy law, regulatory enforcement from agencies such as the Federal Trade Commission lacks teeth. They make do with what they have, resulting in fines that are hardly impactful — consider the FTC's "record" $5 billion fine to Facebook in 2019. With a revenue north of $70 billion that year, the fine barely dented Facebook's bottom line.
Data protection authorities (DPAs) in the EU are gaining momentum each year, and increasing their budgets for enforcement. Since GDPR was enacted in May 2018, EU data privacy watchdogs have issued just over $332 million in fines, according to DLA Piper. Last year, fines reached $193.4 million.
"Much like infants, regulatory non-compliance penalties often start 'without teeth' and consist of warnings," said Rebecca Herold, CEO of Privacy and Security Brainiacs, and host of "Data Security and Privacy With the Privacy Professor" radio show.
Slow growth is to be expected as regulators and compliant companies "try to figure out what is reasonable and realistic for meeting compliance with new laws," she said.
While GDPR took about a year before major fines were introduced, watchdogs are in a grey area of harnessing better privacy standards and having zero tolerance for negligent or intentional violations. Many DPAs are prioritizing Article 5(1)(a) of GDPR, which says data should be handled with "lawfulness, fairness and transparency."
When fines are initially issued, it's not uncommon for DPAs to walk back the price tag, whether on their own or by court decision.
The Austrian Data Protection Authority had a $22 million case against Österreichische Post AG (OPAG) for GDPR infringement in October 2019. The postal service allegedly violated the regulation by "processing personal data on the alleged political affinity of affected data subjects," according to the European Data Protection Board. By December 2020, the Austrian Federal Court overturned the penalty.
"Much like infants, regulatory non-compliance penalties often start 'without teeth' and consist of warnings."
CEO of Privacy and Security Brainiacs
Even though the United Kingdom is no longer a member of the EU, its Information Commissioner's Office (ICO) is still participating in GDPR practices in cases predating Brexit. But in at least two cases, the ICO also reduced some of its fines:
- British Airways' original $230 million million fine was reduced to about $26 million.
- Marriott International's original $124 million fine was reduced to about $24 million.
The ICO landed on Marriott's new fine after considering "representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty," the watchdog said.
However, DPAs don't always have to provide full transparency for why or how they calculate — or in these cases, recalculate — their fines.
Eyes on America
DPAs have targeted most of their attention at U.S.-based companies. "There are legitimate criticisms that this is unfair headhunting, but it also reflects a desire by data protection authorities to use big name cases to broadly influence the practices of industry," said John Dermody, counsel at O'Melveny.
In December, Ireland's Data Protection Commission (DPC) announced an approximate $547,000 fine against Twitter for failing to notify customers of a breach within 72 hours and for insufficiently documenting its "effects and the remedial action" following the incident.
"Considering the attention the threat of massive fines have garnered, the cumulative penalties have so far been relatively small," said Dermody. "That is cold comfort to those companies that have found themselves in the cross hairs of regulators and privacy advocates."
On Tuesday, Norway's DPA announced its intent to fine Los Angeles-based Grindr almost $12 million, representing about 10% of Grindr's $100 million annual turnover.
"Our view is that these people have had their personal data shared unlawfully," said the DPA. "Our investigation has focused on the consent mechanism in place from the GDPR became applicable until April 2020, when Grindr changed how the app asks for consent."
The natural increase in fines is standard in most regulatory laws. Companies are used to seeing compliance-issued penalties starting off "comparatively low, and then increased, dramatically, over time," and the same is expected of GDPR, said Herold. "Look at the upward trajectory of HIPAA fines over the years as an example."
To better navigate GDPR compliance and avoid violations, U.S.-based companies enjoy the benefits of the "one-stop-shop" mechanism.
The mechanism gives the location of an American company's EU headquarters the "lead authority in its dealings with other concerned DPAs in the EU." It simplifies how companies used across EU borders comply with GDPR.
"Privacy practices have improved, but compliance is not an end-state but rather a constant process."
Counsel at O'Melveny
The Facebook Belgium v. Gegevensbeschermingsautoriteit case is questioning the mechanism. The case began in 2015, making its way to GDPR considerations. Under the "one-stop-shop" mechanism, Facebook is arguing Belgium's DPA is invalidated because Facebook's primary EU headquarters is in Ireland. In January, the Advocate General of the Court of Justice of the European Union ruled that the "one-stop-shop" mechanism takes precedence.
However, the judge also said secondary DPAs, such as the Belgium DPA in this case, have a right to pursue concerns. GDPR enforcement is more closely tied to where customers live than where headquarters are.
Removing the "one-stop-shop" mechanism could make compliance more financially challenging. Already, half of companies say their privacy budgets are inadequate, according to ISACA's Privacy in Practice 2021 report. ISACA surveyed more than 1,800 IT audit, risk, security and privacy professionals.
Companies are also unsure of who takes the lead on their data privacy practices. Just over one-fifth of respondents say their chief privacy officer in charge, followed by 23% who say it's the CISO or CSO. The CEO and CIO are evenly split with 13%.
Left out of high-profile cases is "the daily grind of compliance," said Dermody, including data access requests, internal privacy assessments, implementing data management policies.
"Privacy practices have improved, but compliance is not an end-state but rather a constant process," he said.