What a Week. Lots to Unpack.
Hello all, and thanks for reading today.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: January 26, 2021
Once it became clear that the EU General Data Protection Regulation's fines had the potential to be severe, there was endless speculation about which company would go down first and for what kind of misdeed.
Though the tension was palpable up to May 25, 2018 when the regulation took effect, the day and days that followed felt a little bit like sitting on your couch when the clock struck midnight on Y2K: Nothin' changed. Maybe companies could relax a bit? Maybe regulators would give them a grace period?
Looking back, expectations were a little high. Investigations into allegations of impropriety under the law take teams of people and a lot of time, after all. But as the months ticked by, privacy and consumer advocates began to get more vocal in their criticisms of data protection authorities. What good was the world's gold standard in privacy law if no one was going to police the bad actors?
More than two years into the GDPR's implementation, there seems to have been a shift in momentum. That's according to research by law firm DLA Piper, who this week released research tracking GDPR fines over time. In 2020, GDPR fines totaled €185.5, 35% more than in the 20 months previous, the report states. The Italian data protection authority imposed the highest amount in fines: €69.3 million.
It's reasonable to expect the trend to continue as regulators grow more comfortable in their roles, as well as the ongoing interpretations of how to apply the laws they're charged with enforcing. What will be interesting to watch is the severity of the fines to come.
Even as the fines finally started to dominate headlines, there's been much criticism they haven't sufficiently punished tech giants like Google, Facebook and YouTube. In April 2020, The New York Times wrote a story, "Europe's privacy law hasn't shown its teeth, frustrating advocates." It's lead read, "When Europe enacted the world's toughest online privacy law nearly two years ago, it was heralded as a model to crack down on the invasive, data-hungry practices of the world's largest technology companies. Now, the law is struggling to fulfill it's promise."
It will be revealed in coming days whether critics see the more expensive fine as an indicator the promise the GDPR aimed to deliver is doing just that.
Enjoy reading, and we'll see you next week!
Here are the top stories you might have missed:
Research finds GDPR fines accelerated substantially in 2020
For months after the European General Data Protection Regulation became effective in 2018, critics were calling for stronger enforcement from data protection authorities. According to research from law firm DLA Piper, 2020 trended in that direction. Since Jan. 28, 2020, data protection authorities fined companies more than €185.5 million. “That’s a 39 percent increase on the total fines levied during the previous 20-month period since GDPR’s introduction,” New Digital Age reports.
Read Story
2. Biden’s pick for FTC chief likely to increase focus on privacy cases
Leadership at the U.S. agency charged with policing consumer privacy, the Federal Trade Commission (FTC), changed hands when President Joseph Biden named Kelly Slaughter acting chair. Slaughter, a Democrat, replaces Republican Chairman Joseph Simons, who steps down Jan. 29. Bloomberg Law reports it’s likely the FTC will put more focus on privacy cases under Slaughter, as well as take action on children’s and biometric privacy.
Read Story
3. UK data protection agency says adtech audits are coming
After pausing its investigation of the adtech industry given COVID-19’s disruption to businesses, the U.K. Information Commissioner’s Office (ICO) says it’s now resuming its work. The ICO has received complaints about the industry’s compliance with consent requirements under the EU General Data Protection Regulation. “Our work will continue with a series of audits focusing on digital market platforms and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry,” said ICO Deputy Commissioner Simon McDougall.
Read Story
4. Norway privacy authority fines Grindr for data sharing
Norway’s data protection authority will fine Grindr $11.7 million after the data app allegedly illegally disclosed user data to advertising firms, Thomson Reuters reports. “Our preliminary conclusion is that the breaches are very severe,” said the data protection authority.
Read Story
5. Washington hopes ‘third time’s a charm’ on privacy bill
The Seattle Times reports on Washington State’s third attempt to pass privacy legislation. Rep. Reuven Carlyle, D-Seattle, drafted Senate Bill 5062, which would give Washington citizens rights over the data companies’ data collect about them and allow them to correct or delete it. It would also allow residents to opt-out of certain data uses. Those provisions align closely with Europe’s General Data Protection Regulation.
Read Story
6. Hacker posts dating site data on public forum
A hacker infiltrated a data site established in 2014, compromising more than 2.28 million users’ data. ZDNet reports this week a security researcher discovered the MeetMindful breach, which included user names, body details, Facebook user IDs and Facebook authentication tokens. “The dating site’s data has been shared as a free download on a publicly accessible hacking forum known for its trade in hacked databases,” the report states.
Read Story
7. Oklahoma to consider 'opt-in' privacy law
An Oklahoma lawmaker has introduced a bill that would require companies to obtain explicit opt-in consent from users before collecting or selling their personal data. Rep. Josh West, R-Grove, introduced the Oklahoma Computer Data Privacy Act, or House Bill 1602, saying, “For far too long, we have pretended the data that technology companies collect from us is harmless,” KOKH reports.
Read Story
8. German state fines retailer for employee video surveillance
The German state of Lower Saxony’s data privacy authority has fined a local laptop retailer €10.4 million for its constant surveillance of employees for the past two years, ZDNet reports. The cameras were installed in the retailer’s warehouses, salesrooms and workspaces as a theft-prevention tactic, and recordings were saved for up to 60 days. "Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees,” said the data privacy authority’s chief.
Read Story
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.