Though the tension was palpable up to May 25, 2018 when the regulation took effect, the day and days that followed felt a little bit like sitting on your couch when the clock struck midnight on Y2K: Nothin' changed. Maybe companies could relax a bit? Maybe regulators would give them a grace period?
Looking back, expectations were a little high. Investigations into allegations of impropriety under the law take teams of people and a lot of time, after all. But as the months ticked by, privacy and consumer advocates began to get more vocal in their criticisms of data protection authorities. What good was the world's gold standard in privacy law if no one was going to police the bad actors?
More than two years into the GDPR's implementation, there seems to have been a shift in momentum. That's according to research by law firm DLA Piper, who this week released research tracking GDPR fines over time. In 2020, GDPR fines totaled €185.5, 35% more than in the 20 months previous, the report states. The Italian data protection authority imposed the highest amount in fines: €69.3 million.
It's reasonable to expect the trend to continue as regulators grow more comfortable in their roles, as well as the ongoing interpretations of how to apply the laws they're charged with enforcing. What will be interesting to watch is the severity of the fines to come.
Even as the fines finally started to dominate headlines, there's been much criticism they haven't sufficiently punished tech giants like Google, Facebook and YouTube. In April 2020, The New York Times wrote a story, "Europe's privacy law hasn't shown its teeth, frustrating advocates." It's lead read, "When Europe enacted the world's toughest online privacy law nearly two years ago, it was heralded as a model to crack down on the invasive, data-hungry practices of the world's largest technology companies. Now, the law is struggling to fulfill it's promise."
It will be revealed in coming days whether critics see the more expensive fine as an indicator the promise the GDPR aimed to deliver is doing just that.
Enjoy reading, and we'll see you next week!
Here are the top stories you might have missed:
Research finds GDPR fines accelerated substantially in 2020
For months after the European General Data Protection Regulation became effective in 2018, critics were calling for stronger enforcement from data protection authorities. According to research from law firm DLA Piper, 2020 trended in that direction. Since Jan. 28, 2020, data protection authorities fined companies more than €185.5 million. “That’s a 39 percent increase on the total fines levied during the previous 20-month period since GDPR’s introduction,” New Digital Age reports.
2. Biden’s pick for FTC chief likely to increase focus on privacy cases
Leadership at the U.S. agency charged with policing consumer privacy, the Federal Trade Commission (FTC), changed hands when President Joseph Biden named Kelly Slaughter acting chair. Slaughter, a Democrat, replaces Republican Chairman Joseph Simons, who steps down Jan. 29. Bloomberg Law reports it’s likely the FTC will put more focus on privacy cases under Slaughter, as well as take action on children’s and biometric privacy.
3. UK data protection agency says adtech audits are coming
After pausing its investigation of the adtech industry given COVID-19’s disruption to businesses, the U.K. Information Commissioner’s Office (ICO) says it’s now resuming its work. The ICO has received complaints about the industry’s compliance with consent requirements under the EU General Data Protection Regulation. “Our work will continue with a series of audits focusing on digital market platforms and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry,” said ICO Deputy Commissioner Simon McDougall.
4. Norway privacy authority fines Grindr for data sharing
Norway’s data protection authority will fine Grindr $11.7 million after the data app allegedly illegally disclosed user data to advertising firms, Thomson Reuters reports. “Our preliminary conclusion is that the breaches are very severe,” said the data protection authority.
5. Washington hopes ‘third time’s a charm’ on privacy bill
The Seattle Times reports on Washington State’s third attempt to pass privacy legislation. Rep. Reuven Carlyle, D-Seattle, drafted Senate Bill 5062, which would give Washington citizens rights over the data companies’ data collect about them and allow them to correct or delete it. It would also allow residents to opt-out of certain data uses. Those provisions align closely with Europe’s General Data Protection Regulation.
6. Hacker posts dating site data on public forum
A hacker infiltrated a data site established in 2014, compromising more than 2.28 million users’ data. ZDNet reports this week a security researcher discovered the MeetMindful breach, which included user names, body details, Facebook user IDs and Facebook authentication tokens. “The dating site’s data has been shared as a free download on a publicly accessible hacking forum known for its trade in hacked databases,” the report states.
7. Oklahoma to consider 'opt-in' privacy law
An Oklahoma lawmaker has introduced a bill that would require companies to obtain explicit opt-in consent from users before collecting or selling their personal data. Rep. Josh West, R-Grove, introduced the Oklahoma Computer Data Privacy Act, or House Bill 1602, saying, “For far too long, we have pretended the data that technology companies collect from us is harmless,” KOKH reports.
8. German state fines retailer for employee video surveillance
The German state of Lower Saxony’s data privacy authority has fined a local laptop retailer €10.4 million for its constant surveillance of employees for the past two years, ZDNet reports. The cameras were installed in the retailer’s warehouses, salesrooms and workspaces as a theft-prevention tactic, and recordings were saved for up to 60 days. "Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees,” said the data privacy authority’s chief.