Last week we celebrated Data protection Day. So this is right moment to look back at previous year, how it changed, and also try to predict future developments. All statistics comes from DLA Piper GDPR fines and data breach survey: January 2021.
Regulators have been more active with fines
We saw that data protection authorities are getting up to speed with GDPR enforcement. EUR 158.5 million of fines imposed since 28 January 2020. That is 39% increase compared to just over EUR 114 million in the previous 20-month period since GDPR came into force in 25 May 2018. Without doubt, time of warnings is over and authorities expect companies to be fully compliant.
But let’s look deeper what where companies fined for, which were most active DPAs and highest fines for GDPR non-compliance.
What were the biggest GDPR fines in 2021?
The highest GDPR fine to date remains the EUR 50 million imposed by the French data protection regulator on Google, for alleged infringements of GDPR’s transparency principle and lack of valid consent.
The second largest fine is EUR 35.26 million imposed by the Hamburg data protection supervisory authority on a global retailer H&M for failing to have a sufficient legal basis for processing.
Third – Italy’s data protection supervisory authority fined a telecommunications’ operator TIM SpA EUR 27.8 million for a number of breaches of GDPR, including breaches relating to transparency obligations, failing to have a sufficient legal basis for processing personal data, and inadequate technical and organisational measures, and breach of the principle of privacy by design.
While biggest fines are impressive, in most cases they are far from maximum 4% of global turnover of companies.
What was the most common GDPR breaches in 2021?
Most fines are for violation of basic GDPR principles that are here since times of Directive 46/95/EC adopted back in 1995. While notable exception could be compliance with data breach notification requirement which was introduced with GDPR, it is evaluated in the context of failure to implement appropriate security measures.
Failure to comply with the transparency principle
Authorities have paid attention to violations of the lawfulness, fairness and transparency principle (Article 5(1)(a) GDPR making it priority. Many companies got fined for not having privacy policies or proper notices in place, or scattering information in many documents making consumers hard to find required information. Also Google’s EUR 50 million fine was for breach of transparency principle.
Failure to demonstrate a lawful basis to process
This is cornerstone principle – any processing of data must have lawful basis. In some cases, the supervisory authority concluded there simply could not be any lawful basis for the processing in question. In other cases the controller failed to demonstrate evidence of the lawful basis, chose wrong lawful basis that could not be applicable in the case, or failed to obtain GDPR compliant consent.
Failure to implement appropriate security measures
Controllers must ensure that processing is secure – no unauthorised persons can access data, systems and processess are monitored, any data breaches are quickly identified and addressed. In practice it is no easy task to achieve. But effort is what counts.
Breach of the data minimisation and data retention principles
Many companies still collect too much data. Sometimes it is just that processes were built that way (more is better) without giving a thought about data protection. Legacy systems are not so easy to re-build, dealing with non-structured data is hard. And in many cases that is not so obvious what is appropriate amount of data to collect.
Regulators aren’t always right
Supervisory authorities didn’t have everything going their way, though. Several high profile fines were overturned in courts or significantly reduced. That show there is plenty of room for disputes regarding how to apply GDPR.
UK’s ICO significantly decreased fines for Marriott International (from £99 million down to £18.4 million) and British Airways (down to £20 million from £183).
A German appeals court has slashed by 90% a General Data Protection Regulation fine levied by the nation’s federal privacy watchdog against 1&1 Telecom over call center data protection shortcomings.
Also Austrian supervisory authority’s headline EUR 18 million fine imposed on Austrian Post was overturned by the Austrian Federal Court in december.
Consumer organizations test their powers
This year we saw increase in court cases and complaints brought by consumer protection organisations. So noyb brought 101 compliant to 27 EU data protection authorities regarding non-compliant transfer of data out of EU. Later noyb also sued Luxembourg’s Data Protection watchdog for refusal to act on US companies.
British Airways is potentially facing the largest privacy class-action lawsuit in UK history over its mass customer data breach that affected 400,000 people, according to a law firm involved.
This year for sure will bring just increase in activities of consumer organisations which target not just companies for non-compliance but also supervisory authorities for lack of action.
Increase in reported data breaches
For the period from 28 January 2020 to 27 January 2021 there were, on average, 331 breach notifications per day. That is 19% increase compared to previous year’s 278 notifications per day.
I think there are 2 possible reasons for such increase:
- Better awareness of companies regarding identification and reporting obligations. Companies get more educated both in importance to have proper tools to get alerted on incidents, and their obligations to report data breaches to authorities. Also, increased DPA activities regarding fines for failing with reporting obligations may play a role.
- Increased cyber-security risks. Last year was special for companies as most of them moved to remote work. Neither companies nor employees were ready for such shift. Work from home put data under increased risk as employees used their own (often unsecured) equipment for processing data or made data available to their household members. And, of course, cyber-criminals were more active than ever to use this new situation for their own gain.
Thus, I am of opinion that in 2021 we will see further rise in reported data breaches. For many companies there is still much of work to do to address risks created by remote work – both technologically as well as in training of employees.
Takedown of Privacy Shield
CJEU’s decision to repeal Privacy Shield was probably loudest data privacy case in 2020. Not just in EU but especially in US. Moreover, the decision impacted all data transfers outside EEA to countries without “adequate data protection” as court noted that any such transfers must be scrutinized and derogation measures can’t be applied just formally. Companies are required to evaluate legal regime of data importer countries and how it can apply to specific data transfer- huge burden for companies. In addition, technical measures (as encryption) must be used to secure data.
Both EU and UK companies and privacy experts were closely watching Brexit negotiations to understand whether any additional safeguards are to be applied to data transfers or they can continue as used to. The solution was found at last minute and was .. to give additional 4-6 months to find a solution. Some relief to companies but uncertainty is till there.
New data protection guidance from authorities
There are still many open legal questions and uncertainties in the interpretation and application of GDPR. It will take time to clear them out. Therefore any new guidance is welcome. Both local authorities and European Data Protection Board (EDPB) were actively working on new GDPR guidance.
Also, CJEU issued several notable decisions on data protection and e-privacy questions, deciding, for example, that:
- EU law prohibits State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies,
- Invalidity of privacy Shield as tool for data transfers from EU to US,
- pre-ticked boxes are not compliant with GDPR‘s consent requirements,
- Parliament’s petition committee must be categorised as a ‘controller’.
In November European Commission released a draft set of new Standard Contractual Clauses (SCCs) that will replace long outdated existing ones.
The hard work on GDPR guidance will continue this year, too, of course. And there are some new decisions expected also from CJEU to shed a light problematic issues of GDPR application.
While the big “hype” in public around GDPR is settling down, privacy and data protection is not going away. On contrast – we see that both data protection authorities and consumer organisations are getting more sourced and knowledgeable to bring data protection to next level. Companies should play along and keep their processes compliant.