Google recently made the news with a $57M (50M Euro) fine imposed by the French Regulatory building, CNIL. The case against Google is geared towards their use of automatically opting people into advertising programs and vague privacy policies. By GDPR standards, the default behavior should be that all people are opted out of these settings and that users should explicitly opt in for the services. When opting in, it should be very transparent how your data will be used.
Since GDPR went into affect almost 9 months ago, there have been over 59,000 cases of data breach reported to the regulatory bodies (according to a report published by DLA Piper). The majority of these reports came from the United Kingdom (10,600 reports), Germany (12,600 reports) and the Netherlands (15,400 reports).
The EU has stated that they have received more than 95,000 complaints about potential data breaches since GDPR went into effect.
These numbers may be a bit misleading though. Multinational companies generally only report breaches that impact multiple jurisdictions. They normally are reported on behalf of their European headquarters which is generally seated in the UK, Germany and the Netherlands. This does not mean that the countries like Spain are better with their cybersecurity; rather it means that either it's reported elsewhere or it's not being reported at all, yet.
With this large quantity of reports to process, it is not surprising that we haven't had as many of the data breach cases hit the courtroom yet. Companies should expect a lot more fines to be forthcoming as the backlog is processed.
According to the same DLA Piper report, the official number of companies fined so far is 91. Regulatory bodies seem to be prioritizing the larger companies with more data affected. Smaller companies or companies who did not let the breach impact as much data are not receiving much attention, yet. Many of the smaller companies and smaller breaches are simply being sent warnings to improve their processes.
The lion's share of fines have come out of Germany (with over 60 fines reported). Germany's first fine, which came in November, was imposed on a social media/chat company for a data security violation. Over 330K users' data was compromised by hackers. The company received a 20K Euro fine. Their fine was lower because they notified the supervising authority and impacted customers quickly, they cooperated fully with the supervising authority, and they promptly followed recommendations on how to increase their data security.
Also in Germany, a 20K Euro fine was imposed on a company for failing to encrypt employees' passwords which then resulted in a security breach.
In Austria, a 4800 Euro fine was assessed to a company for illegal video surveillance in a public space via CCTV. An entrepreneur had a camera outside his business and he was also recording a substantial amount of a public sidewalk. There was no legitimate reason to have this kind of surveillance and it was not sufficiently marked. With GDPR, you must be transparent about the data that you collect.
In Portugal, a 400K Euro fine was assessed on a hospital after they had 985 active "doctor" accounts and only 296 active doctors on staff. During an investigation they entered a new social worker into the software and saw that the new social worker could access every patient in the system. The hospital used the software SClinico which was developed by the government but found themselves in violation due to not having good policies in place. The hospital was previously warned but did nothing about it. The GDPR violations in this case come under Articles 5, 32, and 83. You can't allow an excessive number of users to access your data. You can't violate the patient's confidentiality or diminish the integrity of their data. The hospital was also unable to ensure continued confidentiality, integrity, and accurate availability. The hospital has not issued any statements about remedying the issue.
Other fines have been assessed in relation to telemarketing and promotional emails.
It does appear that the fines are more lenient when the companies show that they are willing to work with the supervising authorities and take measures to meet GDPR compliance.
YouTube is currently a target for a GDPR complaint filed by NOYB NGO (a European privacy campaigner) on Jan 18th for Right to Access violations covered in Article 15. The maximum penalty for that case could reach close to 4 Billion Euro. Companies listed in that complaint include: Apple, Amazon, Netflix, Spotify, SoundCloud, Flimmit and DAZN.
Additionally, there was a large complaint filed by Privacy International on Nov 8th against companies who have been illegally collecting the data of millions of people to create user profiles. Companies listed in that compliant include: Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax and Experian.
Even 9 months into the regulation, it is too early to start to identify real trends in what cases will ultimately be assessed fines for GDPR violations. The large backlog of violations will clear the system and we should see a much clearer picture in the coming months. We'll also see more lawsuits and appeals for these violations.
The map referenced on the left is from another DLA Piper study. The countries with the heaviest data protection laws are in red, the most robust are in orange, moderate are in yellow, and limited are in green. Those in gray have no data available.
California (CCPA - California Consumer Privacy Act) and New York are already drafting their own data protection regulations. The United States is looking to create a national framework for data protection. We also have measures in place via our Privacy Shield agreements. Large corporations like Cisco, Apple, Facebook and Google are all working with lawmakers to help define the new federal framework.
Canada had already made strides with their PIPEDA (Personal Information Protection and Electronic Documents Act) regulations.
Australia and New Zealand have had Privacy Acts in place for some time now but they are looking to implement more broad reaching data protection acts.
In Asia, 15 countries have legislation in place - Bhutan, China, Hong Kong, India, Indonesia, Iran, Israel, Japan, South Korea, Malaysia, Nepal, Oman, Philippines, Taiwan, UAE, Vietnam and Yemen. There is a bloc that has been created called APEC (Asia-Pacific Economic Cooperation) where many of these countries are looking to develop uniform standards of data protection across the region.
Russia has data protection provisions in their Russian Constitution, particularly in their Data Protection Act No 152 and their Information, Information Technologies and Information Protection Act No 149.
Argentina has a very robust Personal Data Protection Law. They also have Article 43 in their Federal Constitution which talks about people's access to their personal information.
The African Union adopted the "Convention on Cyber Security and Personal Data" in 2014 impacting Benin, Chad, Comoros, Congo, Ghana, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe and Zambia. Other policies are being put into effect in: Angola, Burkina Faso, Equatorial Guinea, Mali, Gabon, Ivory Coast, Lesotho, Madagascar, Malawi, Morocco, Niger, Senegal, South Africa and Tunisia.
Data Protection and Data Privacy are going to continue to be serious topics of conversation. It's extremely important for companies to consider their data protection and data privacy processes with all of their implementations.