The GDPR came into force in May 2018 and the first fine was delivered in July 2018 for € 400,000.
By May 2019, the first full year of enforcement, the collective DPAs had issued a total of 48 fines amounting to € 51,833,345. Some fines were obvious and did not require in-depth investigations, but for the most part, responsible enforcement requires significant rigour in the process of determining fines in a fair and reasonable manner. Many of the DPAs were still struggling with legal interpretation of the GDPR and how the courts would interpret the regulations. With enforcement powers comes great responsibility and it seems most DPAs sought to be fair but strict in their enforcement activities.
There has been a lot of criticism for the lack of fines under the GDPR but enforcementtracker.com reveals the reality. In the first 3 years of enforcement (May 2018 – May 2021) there have been 669 fines for a total of € 288,253,602.
The increase from July 2020 (332 fines for a total of € 130,696,258) to July 2021 (730 fines for a total of € 1,045,767,202) signals a direction most organizations should pay attention to. The sheer number of fines more than doubled – and that was amidst a global pandemic! As we learn to live with COVID, is it reasonable to expect that kind of increase in the coming year?
More important, the size of the fines appear to be increasing dramatically. In July 2020 46 fines for a total of € 20,006,548 were handed out. In July 2021 30 fines were handed out for a total of € 751,070,400!
The big tech guys are starting to get caught in the cross-hairs of the DPAs. I can imagine the legal roadblocks used to stall or delay investigations over the past 3 years, but eventually those files progress, legal hurdles are overcome and fines are issued.
We saw the first huge fine for Amazon last week – a € 746,000,000 fine from Luxembourg’s data protection authority CNPD – https://responsema.org/privacy/eu-slaps-amazon-with-a-record-886-million-fine-over-privacy-violations/ . That’s $886 million USD! Even with Amazon having a $100 Billion dollar quarter, someone is going to notice a fine this size. Until now $50 million to Google was the largest fine under the GDPR.
But here is the reality about the GDPR enforcement: each fine is for specific actions in a given period of time. Should these large tech companies continue to abuse indivudal’s privacy rights, the fines will just keep rolling. Remember, one dog bite hurts. Many dog bites can be lethal.
Clearly the enforcement of the GDPR is real. The EU Parliament has given businesses lots of time to adjust their data processing practices. Change is happening slowly but with these kinds of fines, will real change happen a little faster? I think “this dog’s big bark” has teeth and we are just seeing the beginning stages of real enforcement of the GDPR. Cute puppies do grow into full size dogs.