The stats are in for the first year of GDRP, Europe’s gold-standard data privacy law. GDPR fines totalled €56M, with more than 200,000 investigations, 64,000 of which were upheld.
However, the fines were dominated by a single case, with most ranging in the single-digit thousands …
As our sister site 9to5Google noted back in January, €50M of the €56M total was a single fine against Google. France’s National Data Protection Commission (CNIL) found that the company failed to comply with its obligation to be transparent about the data it was collecting and using to serve personalized ads.
Legal database Lexology rounded-up the GDPR fines imposed in each European country, finding that relatively few fines have been imposed, and these were generally for small sums.
Google aside, examples ranged from countries like Slovakia and Sweden, who have yet to issue a single fine, to countries like Poland, Portugal, Spain, which have fined companies several hundred thousand Euros.
The Netherlands is an interesting example: it has issued only one fine, but that was a sizeable one. Note that this fine predates GDPR, but was levied under similar national legislation.
Austria has issued only three GDPR fines, all for tiny amounts.
The BBC notes that Ireland is of particular interest due to the number of tech giants whose European operations are based there. Apple is among the companies to have been investigated, but of the 19 investigations to date, 11 are into Facebook and its subsidiaries.
So far three fines have been imposed by the Austrian DPA, all of which involved illegal video surveillance. The fines ranged from EUR 300 to 4800.
Facebook says it is cooperating fully with the investigations.
Ireland’s Data Protection Commission says it has launched 19 statutory investigations, 11 of which focus on Facebook, WhatsApp and Instagram.
Twitter and LinkedIn are also under investigation, and last week the commission launched a probe in to Google over the way it uses personal data to provide targeted advertising […]
The most common concerns are about the legal basis for processing personal data, lack of transparency about how a company collects personal data, and people’s right to access their data.
GDPR fines can go as high as 4% of a company’s total global turnover in the most serious of cases.
“We made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. We are in close contact with the Irish Data Protection Office to ensure we are answering any questions they may have.”
GDPR in the US
Some companies, including Apple and Microsoft, have already pledged to extend GDPR-standard privacy protections to their customers worldwide. However, there are growing calls for a US federal privacy law modelled after GDPR.
Apple CEO Tim Cook has made repeated calls for a US federal privacy law that would mirror GDPR protection, including in a TIME magazine op-ed. Microsoft recently backed that call.
There is bipartisan support for a federal privacy law, but no consensus on the best approach.
Photo: Shutterstock
