Five Years After GDPR Became Effective: An Executive-Level Sampling of the Global Privacy Enforcement Landscape
Jerry F. Barbanel, Esq., CPA, CIPP/US/E/A/C, CIPM, FIP
Fellow of Information Privacy (FIP), Data Privacy, Data Protection, Data Governance, National Security, Legal, Investigations, Compliance, Ethics, Risk Mitigation, eDiscovery, Expert
The EU GDPR is widely considered to be the gold standard for comprehensive privacy legislation—and it has a highly effective and much strengthened enforcement mechanism.??Since going into effect on May 25, 2018, the GDPR has created a domino effect for the passage of privacy laws and regulations throughout the world, on both macro (national) and micro (state and local) levels.??As the sheer monetary size of privacy sanctions keep increasing, it is no longer a question as to whether an administrative fine will be handed out that meets the maximum penalty under Article 83(5); but more realistically, a matter of when it will happen.??
Enforcement Actions Have Revealed That Foundational Privacy Principles Are Still Not Being Complied With
The GDPR clearly set forth foundational data processing privacy principles in Article 5.??Of import, those principles had already been well established and recognized in the privacy arena for decades.??The GDPR principles included: (1) lawfulness, fairness and transparency; (2) storage limitation; (3) integrity and confidentiality; (4) data minimization; (5) purpose limitation; and (6) accuracy.??
A careful examination of recent cases brought by privacy regulators indicates that a significant number of enforcement actions have focused on violations specifically related to the first listed of the six above-referenced data processing foundational principles: “lawfulness, fairness and transparency”.??Privacy advocates throughout the globe have repeatedly called on companies to provide fair and reasonable notice that is easily comprehended by customers and other data subjects.??Both the GDPR and other privacy legislation have been enacted to ensure that there is full transparency with respect to what is going to be done with personal data that is collected and processed, a determination as to the lawful purpose with respect to that data, as well as how long the data will be retained.??There has been a growing demand that consent be explicit, for data subjects to have access to and additional rights with regards to their data, and for privacy notices to utilize plain language that is concise and readily understandable by the general population.
Privacy regulators and advocates have uncovered and exposed a multitude of companies for violating fundamental privacy principles, and in particular those related to “lawfulness, fairness and transparency”.??Similar to the GDPR, other privacy legislation has included provisions for substantial sanctions.??To avoid hefty monetary fines companies need to become more educated about what consequences they could potentially face, analyze some of the more recent enforcement actions and learn from the mistakes of others, implement best practices, and take necessary steps to remediate any risks - prior to the time that they become a major issue for their own organization.??Companies that do not take privacy seriously risk alienating and losing the trust of their consumers, in addition to facing severe legal, economic and reputational risks as the GDPR strongly promotes and imposes accountability.
Representative Highlights From Some Recent EU GDPR Privacy Enforcement Actions
The Data Protection Authorities (DPAs) in the EU Member States have been extremely active and are continually levying more substantial monetary sanctions.??During the past eight months alone there have been fines imposed ranging from seven to ten figures.??
The Irish Data Protection Commission (DPC), in January 2023, levied a fine against Meta Platforms Inc. (Meta, which is the parent company of Facebook, Instagram, WhatsApp and many other entities) in the aggregate amount of 390 million Euro for two inquiries related to Meta’s data processing practices.??The 390 million Euro fine was composed of (1) a 210 million Euro fine against Facebook, and (2) a 180 million Euro fine against Instagram. In part, the Irish DPC determined that Meta violated Article 5(1)(a), which mandates that personal data is processed in accordance with lawfulness, fairness and transparency.
To demonstrate the extent of the collaboration between the various DPAs and Supervisory Authorities (SAs) in the EU, prior to handing out this significant fine to Meta, the Irish DPC consulted with DPAs from other EU Member States, as well as submitted its findings to the European Data Protection Board (EDPB).??The EDPB reviewed the administrative fine that was proposed by the Irish DPC and determined that it “... does not adequately reflect the seriousness and severity of the infringement nor has a dissuasive effect on Meta IE.”
The EDPB went further and directed that “... the IE SA to set out a significantly higher fine amount for the transparency infringements identified … In doing so, the IE SA must remain in line with the criteria of effectiveness, proportionality, and dissuasiveness enshrined in Article 83(1) GDPR in its overall reassessment of the amount of the administrative fine.”??The Irish DPC adopted the EDPB’s findings and levied a fine in the aggregate amount of 390 million Euro.??
The magnitude of the aggregate administrative fine of 390 million Euro against Meta was noteworthy, however in 2022, the Irish DPC additionally handed out two other ten figure fines against Meta.??The first one related to Instagram’s violations, involving child privacy settings, and in September 2022 the Irish DPC handed out a fine of 405 million Euro. Then, just two months later, in November 2022, the Irish DPC levied a fine against Facebook in the amount of 265 million Euro for not protecting its users against data scraping.??These few cases alone account for in excess of one billion Euro in administrative fines that were levied against Meta in just five months by the Irish DPC.
Most recently, on May 12, 2023, the Irish DPC adopted a final decision in a landmark case that focused on the validity of Facebook’s transatlantic transfers of personal data from the EU to the US that had transpired over the course of several years.??The decision was officially published on May 22, 2023.??Of import, the Irish DPC was ordered by the EDPB to levy a record setting GDPR fine against Meta in the amount of 1.2 billion Euro.??Of import, Meta was given five months to suspend any future transfers to the US of personal data collected from Facebook users in the EU.
Since 2018, it is worth noting that the administrative fines (taken in the aggregate) levied in the EU have been accelerating each and every year.
Better Understanding GDPR Administrative Fines and How They are Calculated
The GDPR’s comprehensive approach to privacy has been strengthened by the enormity of potential administrative fines (sanctions) that can be imposed.??Article 83(4) allows for maximum fines of up to 10 million Euro or two percent of total worldwide annual turnover in preceding year for undertakings, whichever is higher, if certain criteria are met.??Whereas, Article 83(5) allows for maximum fines of up to 20 million Euro or four percent of total worldwide annual turnover in preceding year for undertakings, whichever is higher, if certain criteria are met.??Article 83(4) pertains to issues, including those that relate to Articles 8, 11, 25-39, 41(4), 42-43; and Article 83(5) pertains to issues, including those that relate to Articles 5-7, 9, 12-22, 44-49, 58(1) and 58(2).
On May 12, 2022 the EDPB adopted Version 1.0 of “Guidelines 4/2022 on the calculation of administrative fines under the GDPR” (the Guidelines).??The Guidelines are broken out into eight detailed chapters and provide a five step process as to how to calculate and determine administrative fines under Article 83 of the GDPR.??
Step One?of the Guidelines deals with “... identifying the processing operations in the case and evaluating the application of Article 83(3) GDPR.”??This step is detailed in Chapter 3 of the Guidelines.??
Step Two?of the Guidelines relates to “... finding the starting point for further calculation based on an evaluation.”??This step is detailed in Chapter 4 of the Guidelines and takes into consideration “... (a) the classification in Article 83(4)-(6) GDPR; (b) the seriousness of the infringement pursuant to Article 83(2)(a), (b) and (g) GDPR; (c) the turnover of the undertaking as one relevant element to take into consideration with a view to imposing an effective, dissuasive and proportionate fine, pursuant to Article 83(1) GDPR.”
领英推荐
Step Three?of the Guidelines has to do with “... evaluating aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly.”??This step is detailed in Chapter 5 of the Guidelines.??Step Four?of the Guidelines deals with “... identifying the relevant legal maximums for the different processing operations.??Increases applied in previous or next steps cannot exceed this amount.”??This step is detailed in Chapter 6 of the Guidelines.
Lastly,?Step Five?relates to “... analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by Article 83(1) GDPR, and increasing or decreasing the fine accordingly.??This final step is detailed in Chapter 7??of the Guidelines.??The EDPB makes it clear that these are simply guidelines and should not be interpreted as an exact science, and specifically stated “... the individual setting of a fine must always be based on a human assessment of all relevant circumstances of the case and must be effective, proportionate and deterrent with regard to that specific case.??It should be kept in mind that these guidelines cannot anticipate each and every possible particularity of a case and in this regard cannot provide an exhaustive guidance for supervisory authorities.”??Of note, one of the EDPB’s objectives in adopting these guidelines was to “... facilitate further harmonization and transparency on the fining practice of supervisory authorities” throughout the EU Member States.
Privacy Enforcement is Global and the Fines are Becoming Substantial
Although EU privacy enforcement has been extensively hailed, and has been modeled after throughout the world, privacy violations are also being vigorously enforced in non-EU jurisdictions as well.??In November 2022, Google agreed to a 391.5 million U.S. Dollar settlement with the attorney generals from 40 U.S. States.??According to the lawsuit brought by the Texas Attorney General “... Google provides a setting called “Location History” and tells users that, if they turn it off, “the places you go are no longer stored.”??In spite of this assurance, Google continues to track users’ location through other settings and methods that it fails to adequately disclose.”?
Interestingly, this privacy action against Google was brought based on the violation of Texas’ Deceptive Trade Practices Act.??At the time that the litigation was filed against Google Texas did not yet have a comprehensive privacy law on its books, so it brought the privacy case, based on other grounds.??Of note, on May 10, 2023 the Texas Senate passed the Texas Data Privacy and Security Act.??Prior to 2023, only five U.S. States had enacted comprehensive privacy legislation (California, Colorado, Connecticut, Utah and Virginia).??However, in the first five months of 2023, five more states’ legislatures have voted to approve a comprehensive privacy law (Iowa, Indiana, Montana, Tennessee and Texas).??It is anticipated that even more U.S. States will be enacting comprehensive privacy laws in the foreseeable future.
In the U.S. the most well-known and powerful force in the privacy enforcement area has been the FTC.??Although the FTC has levied some of the most substantial privacy fines in the world (including the single largest privacy fine in history to date), they have done so despite the fact that the U.S. still does not have a comprehensive federal privacy law on its books.??Of note, it is anticipated that the U.S. Congress will pass comprehensive federal privacy legislation in the foreseeable future as there is wide support from both aisles, and also support from the President of the United States.??The FTC, which has built a formidable track record for bringing privacy enforcement actions, is likely to be named as the federal agency that would officially be the U.S. Government’s primary privacy regulator once the legislation is enacted.??Under new federal privacy legislation the FTC will undoubtedly have a much bigger budget that will allow for more resources and the ability to achieve a more robust agenda with a larger team of privacy professionals.??
The FTC has brought some of the most notable privacy cases, based on unfair and deceptive trade practice grounds.??In particular, “... Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce … are … declared unlawful.”??In December 2022, the FTC imposed an aggregate fine on Epic Games (Epic) in the amount of 520 million U.S. Dollars, which was composed of two components.??The first part relates to a 275 million U.S. Dollar fine for violating the Children’s Online Privacy Protection Act due to Epic’s improper data collection practices from children under the age of 13 (without their parents’ consent).??The second part relates to a 245 million U.S. Dollar refund that Epic was ordered to pay to customers as a result of Epic’s unfair billing practices that were referenced as being dark patterns.
In addition, in May 2022 the FTC levied a fine of 150 million dollars against Twitter for “... deceptively using account security data for targeted advertising.??Twitter asked users to give their phone numbers and email addresses to protect their accounts.??The firm then profited by allowing advertisers to use this data to target specific users.”???Of import, in 2019 the FTC imposed a 5 billion U.S. Dollar penalty on Facebook as well as ordered privacy restrictions to be put in place that should increase accountability and transparency.??The FTC determined that Facebook had “... violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information.??The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy …”.??
Privacy regulators around the world are successfully bringing privacy enforcement actions against companies, which are similar in nature to cases that have already been brought by their regulatory peers from other countries.??These piggyback types of legal and regulatory enforcement actions should set off alarm bells for global companies as privacy regulators around the world continue to act in a coordinated and collaborative manner to go after those companies that violate the privacy rights of their respective citizens.??
In August 2022, in a case similar to the aforementioned litigation that was brought against Google by the 40 attorney generals in the U.S., a court in Australia determined that Google had violated Australian Consumer Law by misrepresenting the use of its location tracker data to individuals and ordered Google to pay a fine of 60 million Australian Dollars.??In addition, South Korea’s Personal Information and Protection Commission in September 2022 levied fines of 69.2 billion Won against Google, and a fine of 30.8 billion Won against Meta for their respective companies tracking consumers’ online behavior (without their consent) so that their data could be used for targeted advertisements.
Given that privacy enforcement is now a global phenomenon, and that the monetary sanctions are increasing substantially, companies would be prudent to redouble their efforts to reexamine and reassess if their organizations are in compliance with the multitude of privacy laws and regulations in effect—as well as if they are in compliance with consumer protection laws that target unfair and deceptive trade practices.
Privacy Compliance is Critically Essential, As New Legislation Casts a Wider Net
There is a bevy of privacy legislation being enacted throughout the globe, thus casting an ever wider net to enforce against those that violate privacy laws and regulations.??In the EU, the Digital Markets Act was enacted on November 1, 2022.??Technology platforms that act as “gatekeepers” are going to be carefully examined to ensure that they are not creating unfair conditions for those that use them.??Entities will be required to register with the European Commission if they meet the Digital Market Act’s gatekeeper criteria.??Finally, the gatekeepers are mandated to be in compliance with the Digital Markets Act by March 6, 2024.
To avoid privacy enforcement pitfalls, organizations need to implement an across the board privacy regime that effectively ensures compliance with the myriad of existing privacy laws and regulations.??In-house privacy professionals need to collaborate with the relevant business units (and with outside counsel, consultants and privacy experts) and confirm that data privacy impact assessments are being continually performed and that any identified privacy risks are remediated in a timely manner.??DPAs and other privacy regulators across the globe have advocated for and promoted best practices for compliance with respect to privacy rights, including implementing privacy by design, and establishing effective privacy policies and procedures.??The ability for entities to prevent, detect and remediate privacy risks not only makes good business sense, but it will help protect an organization against receiving substantial and severe privacy sanctions.
?
About the Author:?
Jerry Barbanel is a Fellow of Information Privacy (FIP), and has earned seven certifications in data privacy, data protection and data governance (including CIPP-US, CIPP-E, CIPP-A, CIPP-C and CIPM).??In addition, he serves as an IAPP Advisory Board Member for the CIPP-E Exam Development Board (2021 to 2023).