If 2018 was the year of GDPR implementation, then 2019 is the year of GDPR enforcement. Data Protection Authorities (DPAs) in Germany have started their audits, and France’s DPA, the CNIL, levied its first major fine earlier this year.
The GDPR upped the stakes for data protection around the globe. Since its implementation, a number of countries have released new legislation around penalties, ranging from hefty fines to imprisonment. It’s easy for organizations to view fines as a harsh punishment, but fines and penalties demonstrate the value a government places on data protection for its residents. The GDPR and other regulations have fines of over $1,000,000 per violation, and in many of these countries, simply being non-compliant can be a violation (even if there hasn’t been a data breach). As countries around the world recognize their responsibility to protect data subjects, the punishment for mishandling or compromising personal data increases.
In this post, we’ll look at how countries around the globe address penalties for data protection violations, review notable penalties, and walk through some steps your organization can take to avoid them.
Data Protection Penalties around the World
Recently, we began comparing the data protection regulations of 24 countries around the world, from Germany to Japan to Israel. Through this exercise, we discovered that 65% of these countries either made significant amendments to their data protection laws or issued new regulations after the GDPR was announced in 2016. While the extent of these changes has varied, one thing is clear: these changes are meant to align the laws of these countries with the new data protection gold standard, the GDPR. This alignment extends all the way to the penalties and fines for non-compliance.
While there are few reasons a country may increase penalties around data protection, one is to gain an adequacy agreement with the EU under the GDPR, which would allow for the free flow of data between them. The two major areas considered under an adequacy agreement are human security and the implementation of a supervisory authority. Penalties can demonstrate how a country’s supervisory authority will enforce their data protection laws.
In recent years, many regulators only issued penalties when a breach occurred, but under the GDPR, and now many others, hefty penalties and fines can be doled out just for failing to comply with the law. In the EU, penalties can reach up to €20 million or 4% of a company’s annual revenue. More than half of the countries we looked at, like Brazil and Australia, have penalties of more than $1,000,000 per violation. Roughly 30% had fines between $100,000 and $1,000,000 (like Mexico, Indonesia, and the Philippines), and only 15% had fines of less than $10,000 per violation (Japan and Russia).
However, many countries do not stop at corporate fines. The GDPR allows EU Member State derogations for penalties. Many countries, like Germany, France, Japan, the Philippines, Mexico, and Indonesia, issue sanctions to individuals who are responsible for a data compromise. Individuals involved in a breach can face up to one year in jail in Japan. In the Philippines, those involved in a breach can receive a prison sentence ranging from one to seven years. Individuals can also receive personal fines in Switzerland if they fail to provide the proper information to the Federal Data Protection and Information Commissioner.
While penalties vary from regulation to regulation, the message is clear. As data protection becomes a greater focus in countries around the world, the penalties for non-compliance become more serious.
Notable Data Protection Penalties and Fines
Germany’s First Fine under the GDPR
Many experts expected Germany to issue the first notable fine under the GDPR. Germany has led the EU in GDPR enforcement, starting its audits back in July. While Germany has issued dozens of fines since last summer, the story around its first fine, issued to German social media provider Knuddels, had an unexpected twist.
In July of 2018, hackers compromised the personal information of more than 330,000 Knuddels users, including 808,000 email addresses and passwords. The company discovered the breach in September and immediately shut down all affected accounts and notified its users. It then reported the breach to the German DPA the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI). During its investigation, the LfDI discovered that Knuddels had stored users’ passwords in plain text, which is in direct violation of the GDPR. However, in November, the LfDI issued a small fine of just €20,000 to the company.
Many were shocked by the small size of this fine, which could have been as much as €10 million or 2% of the company’s annual revenue. But the LfDI believed the fine was proportional to the incident and how it was handled. The LfDI recognized that Knuddels had immediately notified the German DPAs and its customers. The company also took swift action to put stronger security measures in place and showed a long-term plan for increased data security. The LfDI commended the company for its “exemplary cooperation” with the DPA and the efforts it made to improve security measures.
Poland’s Controversial Data Protection Penalty
On April 1, 2019, Poland’s DPA, the UODO, fined a digital marketing agency €220,000 for non-compliance with the GDPR’s data subject rights requirements (see Article 14). In addition to the fine, the company, Bisnode, which has a location in Poland, must mail notifications to 6 million people within the next three months. It is estimated that this will cost the company an additional €8 million.
This penalty has stirred up controversy within the privacy community. A central part of the Bisnode business model is processing scraped data, a common practice for many marketing companies. Bisnode is using caveats in Article 14 to say that notifying every data subject that their data was processed exceeds the level of effort a company must take to notify data subjects. Bisnode has said it will push this case up to Europe’s highest court, and a decision made at this level could impact hundreds of marketing companies across the globe.
Some privacy experts view the UODO’s decision as “radical,” taking a very literal interpretation of Article 14. The UODO argues that because Bisnode’s business model is founded on processing scraped data, they consciously made the decision to process data without notifying data subjects.
Google and the GDPR: The Highest Data Protection Fine Yet
At this point, you have probably heard Google’s cautionary tale. In January of 2019, the French DPA, the CNIL, fined the tech giant €50 million for violating the requirements of the GDPR. Interestingly, this fine was not issued as the result of a data breach, but because of data subject complaints. In May of 2018, groups began submitting complaints to the CNIL regarding Google’s apparent lack of transparency and appropriate consent.
During its investigation, the CNIL took issue with how the company obtained consent for data collection. The company was accused of a lack of transparency, a key tenant of the GDPR, because the conditions of consent were spread across multiple documents, making it difficult for users to understand what permissions their consent granted. In addition, Google used blanketed consent forms and pre-ticked boxes, two things the GDPR has made very clear it will not accept as valid consent. Under the GDPR, consent must be “granular, freely given, informed and must involve affirmative action.”
When the CNIL issued this mega-fine, Google had not yet taken action to rectify the issues it was investigated for, which indicated that the company would remain non-compliant.
Other Data Protection Fines and Penalties
Recent research from DLA Piper uncovered some interesting statistics around data breaches and fines post-GDPR implementation. The report, published in February 2019, found that only 91 fines have been issued under the GDPR, while 59,000 personal data breaches have been reported. So far, many of the fines issued have been small amounts, like €4,500 for a CCTV system that was deemed excessive. These numbers remind us that we are still in the early days of the GDPR, and regulators are stretched thin. Regulators are focused on the most high-profile and serious violations, leaving many companies waiting to see what may happen with their own cases. As regulatory bodies grow and penalty processes become more established, this may shift.
Avoiding Penalties and Fines under the GDPR
If the last few months have taught us anything, it’s that there are no quick fixes or silver bullets when it comes to GDPR compliance. Aligning with the regulation takes diligent, ongoing efforts by teams who understand the importance of protecting data subjects’ privacy. However, these recent fines and penalties have shown that there are a few factors that can help you avoid or minimize a penalty.
- Stating the Obvious: Compliance is Key.
While data breaches may be the source of many of the fines we have seen, recent events have shown that a fine may result from a compliance violation uncovered during an audit or by a data subject complaint. It’s not enough to just cross your fingers and hope your company doesn’t experience a breach. Building a GDPR-compliant privacy program is critical to avoiding hefty fines.
- Time Is of the Essence.
Taking immediate steps to disclose a breach to the proper authorities and your customers can help you garner goodwill from DPAs, as demonstrated by Knuddels. Data breach notification requirements are very clear in the GDPR, and abiding by that 72-hour reporting window is critical to avoiding hefty fines.
- And Action!
Along the same lines, taking swift action to remediate the issues that led to a compromise or are the source of non-compliance can help soften the blow of a fine. Knuddels acted immediately and demonstrated that they were working to improve data security within their organization, which helped reduce their penalty. Because Google did not address the issues that led to its penalty, French DPAs increased their fine.
Compliance under the GDPR is complicated, and its enforcement is still evolving. But organizations can find some comfort in the words of the German DPA, the LfDI: “As a DPA it is not important for the LfDI to compete for the highest possible fines. What counts in the end is the improvement of data protection and data security for the users concerned.” Fines and penalties are not a competition. Instead, they are a means to ensure data subjects’ personal data receives the highest level of protection.
Stay On Top of Changing Privacy Trends
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.