In the year since the General Data Protection Regulation (“GDPR”) went into effect on May 25, 2018, companies worldwide have been adapting to the new privacy rules—and EU regulators have also been busy adjusting to the new regime, handling an influx of data subject complaints, issuing guidelines and opinions, conducting investigations, and bringing enforcement actions for violations of the GDPR.
While regulators’ priorities vary slightly by jurisdiction, common issues for complaints and enforcement relate to marketing and advertising, data security and data breaches, data subject rights, and processing sensitive personal data and personal data of children. The European Commission reported that since May 25, 2018, European data protection authorities have received 144,376 GDPR complaints, mostly regarding telemarketing, promotional emails, and video surveillance/CCTV, and 89,271 data breach notifications.
The biggest fine to-date (EUR 50 million) was issued against Google by the French data protection authority (the “CNIL”), which alleged, among other things, that Google failed to be transparent about its marketing activities and did not obtain valid consent for personalized advertising. Despite the oft-cited potential penalties under the GDPR of the greater of EUR 20 million or 4% annual global turnover, however, most enforcement actions thus far have not imposed fines of similar heft. Instead, many regulators seem to have exercised restraint, understanding that all companies are adjusting to the GDPR.
Looking ahead, we expect regulators to continue to focus on these areas, and a number of regulators have already indicated their interest in these issues. At the IAPP Global Privacy Summit, Elizabeth Denham, head of the UK Information Commissioner, noted that her enforcement priorities include ensuring that the online advertising industry is transparent and fairand that companies comply with the GDPR’s strengthened privacy protections for children. In April 2019, the CNIL similarly emphasized the importance of children’s data, stating in its working plan for 2019 that its activities will focus on inspections of companies’ compliance with processing children’s data, data subjects’ rights, and the division of responsibilities between data controllers and processors. We also anticipate seeing higher fines, as enforcement actions and regulatory guidance provide companies with a better understanding of their compliance obligations—and fewer excuses for non-compliance.
For a sampling of enforcement actions and links to regulatory reports from May 25, 2018 – May 25, 2019, please click on a country below.