GDPR Anniversary: Fines, Interpretations, and Aims for Year Two

GDPR Padlock

On May 25th 2018 the data management landscape in the European Union shifted permanently with the enforcement of GDPR, aimed at promoting user privacy and ensure that their personal details were held in a more secure manner.

One year down the line, as GDPR celebrates its Paper Anniversary, which is ironic given the reduction of paper being delivered through the letterbox in the form of junk mail, ExchangeWire examines how the legislation has been put into practice in the previous 12 months, and assesses what future steps can be taken to ensure its effectiveness.


The fines so far: Leniency and inconsistent adoption

Up until January this year, there were approximately 95,180 complaints connected with GDPR, along with 41,502 notifications of data breaches. However just 91 fines have reportedly been imposed, indicating data protection authorities (DPAs) are either chronically understaffed or tentative of using their legal teams in all but the most clearcut cases of negligence. The number of reported breaches per country also ranges dramatically, with 15,600 breaches reported in the Netherlands (89.8 breaches per 100,000 people) up until January 2019, compared to Italy which only reported 610 breaches in the same period (0.9 breaches per 100,000 people). Such a large gulf is worrying as it suggests many organisations and consumers are not being made fully aware of their rights in reporting misuse of their personal data, something which underpins the entire concept of GDPR.

It is also important to examine the fines which were actually imposed on companies which were found to have violated GDPR laws. The French DPA (CNIL) made headlines across the world when it fined Google €50m (£44m), but how strict was this fine in the context of their annual revenue, as well as relative to the maximum fine possible? As these results show: not very.

GDPR Fines Table
Fines applied to Knuddels, Google, Taxa4x35, and Bisnode for GDPR violations. Revenue figures calculated using publicly-available investor reports and estimates from Owler.com. Maximum possible fine is defined as either €20m (£17.6m) or 4% of annual revenue, depending on which is greater, as stipulated in GDPR.

Whilst is important to note that this is by no means a comprehensive list of all fines imposed, and that the figures alone do not account for the seriousness of the data breach, what is clear is that DPAs appear to be taking a highly lenient stance on how they impose fines. Take the penalty imposed on Knuddels by LfDI Baden-Wuerttemberg for example, nearly two million usernames and passwords were left unencrypted on this chat app, leaving each of these individuals at risk of having their personal details, and private conversations, compromised. Indeed at least 300,000 accounts were confirmed to have been breached. Even with the mitigating factor that the company acted swiftly once the data malpractice was identified, being fined a meagre tenth of 1% of the maximum fine possible cannot possibly be seen as a meaningful disincentive given the seriousness of the breach.

Focusing again on this example, the LfDi stated in relation to the cost of updating their IT systems to be compliant with GDPR: “When assessing the fine, the overall financial burden on the company was taken into account in addition to other circumstances.” Although the need for fines to be proportionate is a necessity, not punishing the company for failing to have the infrastructure required for compliance, is a slap in the face to firms which have made the investment and effort to update their systems. GDPR should be an incentive to firms to have up-to-date and secure means of storing customer data, if firms are not penalised for the failure to have these solutions in place, then where is the incentive for companies to comply?

One final thing that was also noted when collecting this data is that, apart from large-scale fines which attract the attention of mainstream media sources, the figures can be challenging to find, with a lack of publicly-available data behind how the fine amount was calculated. Legislation such as GDPR can only work as an effective deterrent against data misuse if enterprise-level businesses and smaller firms are treated with equal measure, relative to their size. If smaller fines on local businesses are not announced, then it becomes challenging to verify whether they are being treated leniently, or unfairly, compared to international corporations.

Consent: Legal interpretation and the rise of CMPs

Consent management platforms (CMPs) have become a highly popular way of managing user consent without having to build in-housed solutions. Quantcast, one of the more popular CMPs, recently launched a commercial version of their product, with several others bound to monetise their own platforms. The increased granularity afforded to users, through the upcoming release of IAB Europe’s Transparency and Consent Framework (TCF) v2.0, in how their consent is managed is bound to make both premium and free CMPs a more prevalent aspect in the ad industry.

However, it is important that both CMPs and in-housed methods of confirming user consent are compliant with the legislation set out in GDPR. Indeed Quantcast itself faces an investigation for the potential breach of user privacy. Moreover the interpretation of these laws may in turn define how the policies are policed.

For instance, it will be interesting to note the future outcome of a legal complaint made to the Irish Data Protection Commission, against IAB Europe. This alleged that the use of their ‘cookie wall’, which denies users access to the site if they do not consent to the use of advertising cookies, does not comply with GDPR. This seemingly boils down to the interpretation of Recital 43, which states: “Consent is presumed not to be freely given […] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”

On the one hand you could argue that the use of cookies to track user activity is not necessary for a regulatory body, which is not ostensibly selling a product or service to the typical user. Alternatively one can argue that, even though it is an industry association, IAB Europe is still a commercial venture with staff, office expenses, etc. In this case the use of advertising cookies could be defined as ‘necessary’ for the provision of their service. Recent difficulties for publishers and their reliance on advertising income is well documented, so if the data used to power said advertising is deemed unnecessary this could have severely damaging implications for them.

Year two: What needs to be done?

Ultimately GDPR coming into force represented a positive step forward for the ad industry, and more importantly the protection of consumer rights in the whole region. However inconsistent enforcement, lenient punishments, and questions surrounding how consent can be defined, all risk undermining the regulation. The ad industry, alongside legislators, should therefore consider the following over the coming year:

I. Creating an EU-wide database of fines, with banding levels depending on the severity of the violation, to ensure clarity on how firms are being treated by DPAs and to promote consistent legal action.

II. DPAs should be stricter in penalising violations of GDPR, fines that are approximately 1%, or less, of the maximum amount are not a meaningful disincentive. The cost of ensuring compliance should also be discounted from determining penalty amounts, given that this essentially punishes companies which have invested in ensuring they are compliant.

III. Companies should strongly consider adopting the principles outlined in IAB Europe’s Transparency & Consent Framework v2.0.

IV. Monitor developments in the US, with the California Consumer Privacy Act and the potential federal-level privacy law: ‘Do Not Track Plus’. Explore potential ways of aligning the policies would be a major milestone in establishing global consumer protections.