This month saw the 4-year anniversary of the introduction of the EU’s General Data Protection Regulation (GDPR), one of the most comprehensive privacy regulations to be introduced anywhere in the world. The GDPR gave EU citizens new rights over their personal data, required companies to implement safeguards to keep personal data private and confidential, and placed restrictions on the collection and processing of personal data.
When the privacy and security regulations are violated, Data Protection Authorities (DPAs) in EU member states can impose significant financial penalties, and in the past 4 years more than 900 financial penalties have been imposed for GDPR violations.
Largest GDPR Financial Penalties (May 2018 – May 2022)
- Amazon – €746 million ($847 million)
- WhatsApp – €225 million ($255 million)
- Google Ireland – €90 million ($102 million)
- Facebook €60 million ($68 million)
- Google LLC — €60 million ($68 million)
- Google – €50 million ($56.6 million)
- H&M – €35 million ($41 million)
- TIM – €27.8 million ($31.5 million)
- Enel Energia – €26.5 million ($29.3 million)
- British Airways – €22 million ($26 million)
Noncompliance with the GDPR is Widespread
While it has been four years since compliance with the GDPR became mandatory, many companies are still not compliant. A recent survey conducted by CYTRIO to assess the state of compliance at U.S. companies found that over 90% of companies were not fully compliant with the requirements of the GDPR and similar privacy laws that the GDPR inspired, such as the California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA).
Significant fines have been imposed, but the sheer number of complaints filed with DPAs led to them becoming overwhelmed and there is still a huge backlog in investigations. One of the problems is the one-stop-shop process, which requires cross-country complaints to be investigated by the DPA where a company has its EU base. Many large tech firms have their EU based in Ireland for instance, which means Ireland is responsible for leading the investigation of complaints about companies such as Facebook, WhatsApp, Instagram, Google, Twitter, Yahoo, Microsoft, Apple, and LinkedIn. Ireland has only completed 65% of its investigations of complaints filed since May 25, 2018, and there are currently around 400 complaints involving cross-border decisions still outstanding.
Marking the 4-year anniversary of the GDPR, the nonprofit data privacy rights group, noyb, issued a statement highlighting the failures of the GDPR and DPAs, pointing out that while the introduction of the GDPR was a hailed as a watershed moment, in 4 years the GDPR has still not resulted in a change of the culture of non-compliance in the data industry. Privacy rights are being ignored and companies are getting away with it, especially data brokers and the online advertising industry.
Noyb said investigations of these complaints are incredibly slow. Noyb has submitted around 50 cross-country complaints, and in four years has yet to get a final decision in any of those cases, even though there have been clear violations of the GDPR.
“The GDPR has not (yet) managed to get out of a pre-existing condition: a downward spiral of more and more non-compliance and non-enforcement. Just like when parts of a city become a criminal “no go” zone that are abandoned by police, it seems that many data protection authorities have lost the upper hand on many areas of the digital sphere,” explained noyb. “Companies realize that competitors do not comply and that acting legally does not pay off. The wider non-compliance spreads, the harder it will get for authorities to gain back control with limited resources.”
Unless there are changes and much stronger enforcement, the most serious, large-scale violations of privacy rights by the big tech companies will continue and the requirements of the GDPR may just be fully ignored.