GDPR Fines Continue to Roll Out in the Hundreds of Millions of Euro’s Drew Wilson | February 6, 2020 The success of Europe’s General Data Protection Regulation (GDPR) is continuing with fines continuing to be handed out against violators. Despite the insistence of some, it seems that overwhelming success continues to be a major theme for Europe’s GDPR. Earlier this month, we reported on a study that concluded that the enforcement side of Europe’s GDPR is dealing with 160,000 security incidences. This is a huge sign of success because data leaks and breaches are no longer hiding in the shadows. Instead, they are being brought forward by the companies themselves and the concerned public alike. Either way, it’s a sign that Europe is finally tackling the problem of data leaks and breaches in the continent. With so much success, criticism against the laws do continue to persist despite critics becoming an increasingly small number. One of those criticisms is that there are no real fines, so enforcement isn’t even possible. In fact, some go so far as to suggest that the laws are effectively worthless because no real fines are being handed out to violators to begin with. In fact, some proponents are mocked by putting in air quotes and saying “just wait for it”. It seems that such criticisms are no longer really valid. As ZDNet points out, the fines being handed out are easily reaching into the hundreds of millions of Euro’s. From the report: You read that right: GDPR enforcement is on fire! While fines are not always particularly high, our analysis shows that, in terms of volume, data protection authorities (DPAs) are rapidly increasing their GDPR enforcement activities. Some interesting trends are also emerging: DPAs have levied 190 fines and penalties to date. With 43 enforcement decisions made so far, Spain leads the pack as Europe’s most active regulator, followed by Romania (21) and Germany (18). The UK has imposed the highest total amount of fines — more than €315 million — if both British Airways’ and Marriott’s fines are upheld after appeal. Following are France’s Commission Nationale de l’Informatique et des Libertés, with just over €51 million in fines, and Germany’s DPA, at nearly €25 million. Failures of data governance — not security — trigger the most fines and penalties. DPAs have primarily acted against the infringement of Article 5 (principles of processing of personal data) and Article 6 (lawfulness of processing). These rules contain key data governance principles, such as data accuracy and quality, and fairness of processing, when firms collect and process the minimum amount of data necessary for a specific, clearly defined purpose. Firms struggle greatly to meet the requirements around consent and other available legal bases. Breaches get the enforcement ball rolling but are just a starting point. Many security and risk (S&R) and privacy pros expected security infringements and missed breach notifications to be the main triggers of GDPR enforcement. DPAs have undertaken about 50 actions for infringement of article 32 (security requirements) and a few more related to failure to report breaches. These cases show that an actual security incident is just the starting point for determining fines. Investigations that followed some of the biggest breaches of the post-GDPR era focused not only on the specific conditions of the breach but also highlighted “poor security arrangements.” Adequate authentication procedures — or the lack thereof — have been DPAs’ focus since the first enforcement action in 2018. Of course, one question that might come out of this is, why did it take so long for this to happen? After all, the laws came into force in June of 2018 which is nearly two years ago. Well, as was suggested in the article, laws – especially laws that hand out penalties – are generally challenged and tested in courts. As anyone with any experience observing court action knows, court cases take time – a lot of time. As an example of how long court cases can take, let’s take a look at the famous file-sharing case of Jammie Thomas. This major court case would help set the precedence for how much an alleged file-sharing copyright infringer can face in fines for copyright infringement. Looking over the Wikipedia entry, you can plainly see that the first finding occurred on October 4, 2007. The case finally stopped working its way through the system on March 18, 2013 when the Supreme court denied hearing the case. This took more than 5 years to complete the cycle. While this is a different jurisdiction, it does provide a good example of how a court case can take several years before a decision is fully rendered. In this case, we are seeing that larger companies are challenging the laws in the courts. Obviously, when there are questions about the legitimacy of the laws or the fines, then enforcement of these laws can slow down significantly because there are legal questions up in the air still. As far as court action is concerned – especially court action of this magnitude, two years is a very short period of time to determine how fines are going to be handed out. Still, this is another nice shining example of how GDPR laws are proving to be successful. It also makes it harder to criticize these laws in the first place. If consumers win and have better control over their personal information, all the better. Drew Wilson on Twitter: @icecube85 and Facebook.