Lady Justice in front of the European Union flag in the background showing expectations of EU GDPR fines and sanctions
First GDPR Fines and Sanctions Expected Shortly

First GDPR Fines and Sanctions Expected Shortly

EU General Data Protection Regulation (GDPR) supervisory authorities in the European Union are set to flex their collective muscle before the end of 2018, at least according to European Data Protection Supervisor Giovanni Buttarelli. In a recent interview with Reuters, Buttarelli said that the regulatory authority has been faced with a deluge of complaints regarding violations in terms of general data protection. However, there also appears to be some confusion regarding the scope and definitions of the GDPR regulations, with many organizations requesting clarification regarding their interpretations of responsibility for compliance with the regulations. Even taking into account these teething problems, the GDPR (which came into force on May 25, 2018) has been recognized as the biggest shake-up of data privacy laws in more than two decades and the prospect of GDPR fines and sanction has many top-level executives extremely worried.

The GDPR shakeup

The general data protection regulations have some serious teeth. The fines that can be levied for non-compliance are not just a slap on the wrist. GDPR compliance is becoming more and more urgent for companies in the EU – and even further afield as organizations in other regions will be hit with the ripple effect of fines and other sanctions if they have partners or users of their services in the EU.

Increasing appetite for GPDR fines

It is becoming increasingly clear that the GDPR regulations are forcing companies to think long and hard about the impact that GDPR will have on their operations. Faced with a 53 percent jump in complaints from last year in France and Italy alone there seems to be an emerging trend echoing dissatisfaction with issues regarding privacy and data security. These statistics show that the public (at least) have lost patience with organizations that are playing fast and loose with their data – and want them punished – and GDPR fines are only one of the mechanisms that they want to see implemented.

The GDPR sanctions can have a material impact on the operations of a company – and in the most serious of cases cause balance sheets to simply implode. The GDPR rules under Article 83 allow consumers to better control their personal data and give regulators the power to impose fines of 20 million euros ($23 million) or up to 4 percent of global annual turnover of the preceding fiscal year, whichever is higher, for violations.

Now, this may not seem a large amount for companies like Facebook and Google which are already facing regulatory scrutiny from government sanctioned bodies across the globe. However, it’s not only the GDPR fines of 20 million euros that should be giving these online giants pause to reconsider their approach to privacy. That’s pocket change to many of these Internet behemoths.

The following statement by Buttarelli should send cold shivers down their collective spines.

“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum.”

In other words, as regards GDPR fines – “You have been warned.”

GDPR fines across the globe

Fines could be imposed on any company that operates in EU member states, no matter where it is headquartered. And the European Data Protection Supervisor warned that the gap between telecoms operators and online messaging and email services (such as WhatsApp and Microsoft subsidiary Skype) was narrowing as far as regulatory oversight is concerned. The transfer of personal data across these user networks is now an issue that regulators are increasingly concerned about.

Buttarelli said the sanctions will be imposed in many European Union countries and will hit many companies and public administrations. Investigations into the operations of many organizations with global reach are ongoing so he was reluctant to go into further detail. However, it sounds as if GDPR enforcement authorities are testing just how broad their powers could be.

More work to be done on multinational GDPR enforcement

Buttarelli emphasized that companies across the globe were not out of reach of European Union regulators. “The fine is relevant for the company and important for the public opinion, for consumer trust. But from an administrative viewpoint, this is just one element of the global enforcement.”

Buttarelli urged EU countries and lawmakers to bridge their differences on overhauling the e-privacy directive which aims to create a level playing field between telecoms operators and online messaging and email services. He was adamant that the regulations would have far reaching consequences for those who supply communication services – no matter the traditional definitions or their services. It appears that the threat of GDPR fines for noncompliance with regulations are going to have a global ripple effect.

Time to pay real attention to privacy issues

Buttarelli said, “E-privacy is simply indispensable. It is essential, it is a missing piece in the jigsaw of data protection and privacy.”

Given the increasingly strident voices from the public that are demanding more stringent policing of data security and privacy issues and data protection regulation, as well as the focus of EU regulators, companies like Google and Facebook (and many others) should be paying real attention to privacy issues. The cascade of allegations by government bodies and private citizens means that companies and organizations that are custodians of data or responsible for processing personal data need to revisit their approaches to security and GDPR compliance – and sooner rather than later. Otherwise the GDPR fines and sanctions that they will face, irrespective of where they are headquartered could have a material impact on shareholder sentiment and their annual revenue – and may very well see an exodus of users.