Data Protection Regulators Cracking Down on Privacy Violations
Data regulators are issuing more fines than ever before, here’s what you need to know to avoid getting caught in the crosshairs.
The enaction of the EU’s General Data Protection (GDPR) law in May 2018 was a landmark moment in the field of data protection and privacy. Developed in response to surging levels of digital data collection, the legislation sought to strengthen, modernise and harmonise individuals’ data privacy rights across the EU, as well as ensure personal data is better protected from cyber threat actors.
The History of GDPR
GDPR was first passed in 2016, giving organizations plenty of time to comply with the new data protection and processing obligations before it came into force.
The new rules were backed up with considerable clout, with regulators authorized to issue fines of up to a maximum value of €20m ($21m) or 4% of annual global turnover, whichever is higher, for privacy or data protection violations.
Since the GDPR came into force, many other countries have passed their own new privacy laws, based upon similar principles. In the US, these include the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (CDPA) and the Utah Consumer Privacy Act (UCPA), and many experts believe a federal privacy law is a possibility in the near future.
Other major economies, such as China, India and Brazil, are also planning, or have already passed their own updated data privacy legislation in the past few years.
The GDPR and other data privacy laws have generated plenty of publicity. But to date, just how far have regulators been willing to go to enforce these new rules?
An Inauspicious Start
Despite the enormous significance of the GDPR on paper, it was apparent that many organizations were ill-prepared to comply with the regulation when it came into force on May 25, 2018. For example, research from 2017 found that a staggering 84% of small UK business owners were unaware of the forthcoming GDPR. Further research, published in April 2018, found that just a third of websites in the EU had updated their privacy policy in line with the GDPR provisions.
A mixture of the financial cost involved and lethargy are the most likely contributing factors for this inaction.
Partly as a result of this lack of preparedness, regulators took a relatively light touch to punishing GDPR violations during the first three years of its existence. For example, just 0.25% of data breach cases handled by the UK’s Information Commissioner’s Office (ICO) in the first year of the GDPR resulted in fines.
Additionally, in several cases during those first few years, initial intentions to levy heavy penalties were later substantially scaled back. For example, in July 2019, British Airways (BA) was hit with a £183m ($230m) fine after failing to prevent around half a million customers’ data being breached in a digital skimming attack. However, this was reduced to just £20m ($26m) in October 2020, with the ICO citing the economic impact of COVID-19 on the business as the reason for the reduction.
In another case, the ICO’s intention to fine hotel chain Marriott International £99m ($123m) after around 339 million guest records were exposed in a data breach was watered down to £18.4m ($23.8m) following representations from the firm.
From July 2018, when the first ever GDPR fine was issued, through to June 2021, there were a total of 713 fines levied, at a cumulative value of around €294.5m ($359.7m). This represented a rather low-key opening few years of the GDPR.
Register for Europe’s leading cybersecurity event
Join us at London ExCeL, 4-6 June, for three days of learning, networking, discovering and exploring all things Infosecurity.
Ramping up the Pressure
The first ‘blockbuster’ fine emanating from the GDPR came in July 2021, when Luxembourg’s data protection authority hit tech giant Amazon with a record €746m ($877m) fine for data processing violations. Amazon has since appealed the decision, which will be heard at a Luxembourg court in January 2024.
This decision sparked a wave of high-level fines against large tech companies, as regulators started to get tough on GDPR breaches. Notable penalties have included:
- WhatsApp issued with a €225m ($267m) fine by Ireland’s Data Protection Commission (DPC) in September 2021 for failing to discharge GDPR transparency obligations.
- Meta/Instagram fined €405m ($402.2m) by Ireland’s DPC following an investigation into its handling of children’s data in September 2022.
- Google handed a €150m ($170m) penalty or failing to enable YouTube users to refuse cookies as easily as they could accept them.
Subsequent analyses of GDPR fines by law firm DLA Piper demonstrated the growing willingness of regulators to enforce the rules. In January 2022, it found there were over €1bn ($1.1bn) fines levied since January 2021, an enormous 594% year-on-year increase from 2020.
Then, from January to December 2022, the firm observed €2.9bn ($3.1bn) in monetary penalties being issued, a 168% rise on the previous year. This is despite the average number of reported breaches per day falling slightly in 2022.
Data Protection Enforcement in the Future
In Europe, it is clear that regulators are keen to send a message to organizations that there will be serious repercussions for failing to protect consumers’ data.
One European nation where we may see a different approach being taken is the UK, following its official departure from the European Union in January 2021. While the UK has incorporated the GDPR provisions into its statute book following Brexit, the government has frequently indicated that it is considering diverging from the rules to allow more economic benefits from data, such as enabling data flow agreements to be struck with more countries around the world.
To realize this vision, the UK government has introduced the Data Protection and Digital Information Bill, dubbed the Data Reform Bill, which is currently going through Parliament. This legislation outlines a number of changes to the current UK GDPR, including limitations in the scope of personal data, tweaks in the use of personal data for legitimate interests in order to ease data use and sharing for scientific research and the public sector and a redefinition of data protection impact assessment (DPIAs) to ‘assessments of high-risk processing.’
The UK’s approach to data protection and GDPR is well worth keeping an eye on in the coming months and years, including how this affects the extent of financial penalties issued in the country.
Regarding the development of data privacy legislation in other parts of the globe, such as the US, it will be interesting to see if regulators follow a similar path to that of the EU’s GDPR – a light touch approach for the first few years before heavy financial penalties begin to be leveraged.
Enjoyed this article? Make sure to share it!
Latest Articles
Keep up to date with the latest infosecurity news and trends in our latest articles.
Stay in the know
Receive updates about key events, news and recent insights from Infosecurity Europe.
Looking for something else?