GDPR Enforcement
The need for United States and Canadian Businesses to have a GDPR Compliance Initiative in place is paramount.
The General Data Protection Regulation (GDPR) became effective on May 25, 2018 (the “Effective Date”). GDPR is the widest sweeping privacy regulation to hit the global market since the 1995 EU Data Protection Directive. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU residents (EU data subjects). The new legislation introduces tough new fines for non-compliance and gives individuals assorted rights regarding how their data may be used (“data processing”) by companies doing business involving EU data subjects. The regulation also affects US businesses through its extraterritorial jurisdiction and scope, and it requires organizations governed by the regulation to memorialize their data processing activities through a contract pursuant to GDPR Article 28. The fines for non-compliance can be as much as 20 million euros or 4 percent of annual revenues (whichever is higher). Since the GDPR Effective Date, GDPR regulators in the European Union have initiated several enforcement actions and have issued fines. These enforcement actions appear to be ramping up significantly. Here is a list of the most recent regulatory actions.
2018 GDPR ENFORCEMENT ACTIONS
- June 2018
Teemo and Fidzup – European Companies = Warning – The French Supervisory Authority (“CNIL”), issued warnings to two companies, Teemo and Fidzup, for issues connected with their provision of platforms to mobile apps that enabled targeted advertising through the use of location data.
- July 2018
Hospital near Lisbon – European Company = €400,000 fine – The Portuguese Supervisory Authority (“CNPD”) fined a hospital €400,000 for breaching GPDR’s provisions, reportedly for failing to prevent hospital staff from using false profiles to access patient data.
- September 2018
Small Local Business – European Company = €4,800 fine – The Austrian Supervisory Authority (“DSB”) issued a fine of €4,800 under the GDPR to an entrepreneur who reportedly installed a CCTV camera that recorded a significant portion of public pavement beyond their business premises.
- October 2018:
AggregateIQ (“AIQ”) – Canadian Company = Warning – Five days after GDPR’s Effective Date, AIQ was regulated by the United Kingdom’s data protection authority, the Information Commissioner’s Office (“ICO”). The ICO accused AIQ of using personal data—including names and email addresses—of U.K. individuals to target them with political advertising messages on social media. AIQ was accused of processing people’s data “for purposes which they would not have expected”. The ICO ordered the company to erase any personal data of U.K. individuals retained on its servers. ICO mandated AIQ to comply with its enforcement notice within 30 days or face a fine of up to €20 million.
- November 2018
Knuddels.de – German Company = € 20,000 fine – Knuddels reported a data breach, and upon investigation, the local data protection agency determined the site had been storing user passwords in plaintext without hashing. The German data protection authority (“LfDI Baden-Württemberg”) imposed a fine of € 20,000, stating “By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a). The violation concerned GDPR’s provision on “the pseudonymisation and encryption of personal data”. The fine was issued over the data storage practices, not the breach itself.
- October 2018 – December 2018
Facebook – United States Company = Investigation – The Irish Supervisory Authority (“DPC”) announced an investigation into Facebook for potential data breaches since the GDPR Effective Date, and therefore the DPC has initiated inquiry examining Facebook’s compliance with the relevant provisions of the GDPR.
2019 GDPR ENFORCEMENT ACTIONS
- January 2019
Twitter – United States Company = Investigation – The Irish, Data Protection Commission (“DPC”) is currently investigating Twitter’s compliance with its obligations under the GDPR to implement technical and organizational measures to ensure the safety and safeguarding of the personal data it processes. This investigation commenced in November 2018 following receipt of a number of breach notifications from the company since the introduction of the GDPR. The DPC has this week opened a new statutory inquiry into the latest data breach it received from Twitter on 8 January, 2019. This inquiry will examine a discrete issue relating to Twitter’s compliance with Article 33 of the GDPR.
Google – United States Company = € 50,000,000 fine – The French Supervisory Authority (“CNIL”), levied the record fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization”. The regulator said it judged that people were “not sufficiently informed” about how Google collected data to personalize advertising. Complaints against Google were filed in May 2018 by two privacy rights groups: noyb and La Quadrature du Net (“LQDN”). The first complaint under GDPR was filed on 25 May 2018, the day the legislation took effect. The groups claimed Google did not have a valid legal basis to process user data for ad personalization, as mandated by the GDPR.
- February 2019 and Beyond
Amazon, Apple, Google, Netflix and Spotify – United States Companies = Investigation – All of these companies have been accused of violating GDPR and investigations are currently under investigation. GDPR requires EU customers to have the right to access a copy of the personal data companies hold about them. However, privacy groups in Europe say that most of the big streaming companies did not fully comply with GDPR.
WHY REPORTING ON THIS TOPIC MATTERS
United States and Canadian Businesses that are subject to the requirements of GDPR should ensure that they are in compliance, or they may face similar action. Most United States and Canadian companies think they are immune to this law, but through these recent enforcement actions regulators in Europe are showing how wide sweeping this will become in the coming years. Companies not already in compliance need to have a GDPR Compliance Initiative in place, because the above GDPR regulatory enforcement actions show that consumer rights groups a prowling United States companies to see if they are in compliance. If not, these companies are reported to the data protection authority of choice to initiate a fine. According to news reports, Austria’s DPA already has 115 U.S. proceedings pending and another 58 investigations underway.
What A “GDPR COMPLIANCE INITIATIVE” LOOKS LIKE
If you have no idea where to start, or if you are looking for counsel to help you, the following items need to be at least a part of your GDPR Initiative.
- Inform your leadership and formulate a plan.
- Appoint a data protection officer.
- Map your personal data.
- Data Protection Impact Assessment.
- Review whether the grounds for which the personal data is being processed is lawful.
- Update your data governance.
- Implement new compliance systems.
- Review your vendor contracts.
- Review your insurance policies.
- Review of your external facing documentation.
- Assess your international transfers.
- Work with legal counsel experienced in assisting with international data security and privacy matters.
If you have questions about how to navigate GDPR’s complex requirements, Scott & Scott is available to assist you.