by Jonathan Mills, Solicitor at Reddy Charlton LLP
When introduced in 2018, the possibility of hefty fines for breaches of the GDPR grabbed the attention of European company CFO’s. In Ireland, the Data Protection Act 2018 enables the Data Protection Commissioner (DPC) to impose fines of up to €1million on Irish State/public bodies that are not in competition with private sector bodies. Public sector bodies that act as undertakings and private sector bodies may be fined up to €20 million or 4% of annual worldwide group turnover. The prospect of these fines had the desired deterrent effect and led to most companies (big and small) taking the new requirements seriously and adopting the appropriate procedures, plans and policies for the GDPR.
There followed a period of ‘phony’ war, where little to no fines were issued and some questioned whether the regulators would follow through on the threat of wielding the sword on those who breached aspects of the GDPR. In Ireland, it was not until late May 2020, when TUSLA (the child and family agency) became the first organisation in the State to be fined for a breach of the GDPR. The agency was fined €75,000 arising out of an investigation into three cases where information about children was wrongly disclosed to unauthorised parties. In a country that hosts most of the European headquarters of the world’s large technology firms, this fine would not have had much of a deterrent effect.
But there are clear signs that both the DPC and its European colleagues are now beginning to grow in confidence and flex their authority. It is noticeable that there is a steady increase in the use of fines for breaches with a near 40% increase in fines issued over the last 12 months as compared to the previous 20 months. Of recent note in Ireland (15 December 2020), the Irish DPC issued a €450,000 fines against Twitter for a date breach. In excess of €272 million was levied in fines through the combined efforts of European regulators. The most aggressive regulators in terms of the cumulative amounts fined are those of Germany (€52.98million) and Italy (€69.69million), who have issued in excess of 50% of the total fines issued to date. Estonia is some way behind, having issued two fines for a combined value of €548.
The largest fine imposed to date came from the French data protection authority when in 2019 it issued a €50 million fine against Google, saying that it had failed to be transparent on how data was used and further that it lacked a legal basis for personalising advertisements. Other notable fines include H&M which was fined €35,200,000 by the Hamburg Commissioner for Data Protection and Freedom of Information for a breach of personal (and sensitive personal) data, Marriotts International whose fine was reduced from £99million to just over £20million and the smallest fine issued to date was a mere €28.
The recent increase in fine activity must also be viewed through the lens of Covid -19, where it is arguable that some regulators have understandably adopted a lenient approach to companies undergoing financial hardship as a result of Covid-19. An example of that leniency comes from the UK Information Commissioner’s Office case against British Airways for an Article 31 breach in 2018. The fine of £183m was reduced down to £20 million, a welcome reduction to a brand and industry on its knees due to the effects of the virus. In addition, it is notable that regulators have suffered some setbacks in judicial appeals against the fines they have issued resulting in lower amounts. That said, given the novelty of GDPR, that process of judicial appeals will likely have yielded some valuable lessons learned for the regulators which may refine and strengthen their approach and provide a higher success rate into the future.
This indicates that 2021 and beyond will see regulators grow further in confidence and increasingly using their powers in an attempt to ensure that companies achieve and maintain that delicate balance between utilising data and protecting the rights of data subjects. Companies, both big and small, be warned.
About the author
Jonathan is a solicitor in Reddy Charlton’s Commercial team. Jonathan has experience in advising on the GDPR, data privacy and transfer matters and related topics. His work also includes the drafting and revision of commercial contracts as well as involvement in mergers and acquisitions.