GDPR To Celebrate One-Year Enforcement Anniversary

Today in Security: GDPR To Celebrate One-Year Enforcement Anniversary

Saturday marks the one-year anniversary of the European Union’s General Data Protection Regulation (GDPR) compliance enforcement deadline, and many are surprised by the lack of big fines and enforcement actions taken by regulators so far.

“So far almost 100,000 privacy complaints have been filed with national privacy regulators, though only a few have led to meaningful penalties,” according to Politico. “Total fines have now reached roughly €56 million, although almost all of that came from a one-off €50 million levy against Google by French officials.”

France’s National Data Protection Commission (CNIL) fined Google in January 2019 for violating GDPR’s transparency, information, and consent provisions.

​“Despite the measures implemented by Google, the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services, and almost unlimited possible combinations,” CNIL said. The commission added that the violations are “continuous breaches of the regulation as they are still observed to date. It is not a one-off, time-limited infringement.”

Google is appealing CNIL’s fine. The company said in a statement that it worked “hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing,” according to Fortune.

Along with the Google fine, regulators made some moves that could have ramifications for the security industry. For instance, Ireland’s Data Privacy Commission (DPC) launched 52 formal statutory inquiries under the GDPR—some based on complaints or through the scope of its own work.

​“Shortly after the GDPR entered into force, the DPC launched 31 inquiries into public sector surveillance of citizens for law-enforcement purposes through the use of CCTV, body cameras, drones, and other technologies,” according to a white paper by the International Association of Privacy Professionals (IAPP).

Based on these inquiries, Ireland’s DPC will publish guidance on CCTV, breach notification procedures, and other factors. It’s not alone, either, as other regulators plan to issue additional guidance to help companies remain—or achieve—compliance with the GDPR, including for connected vehicles, projects related to blockchain, and artificial intelligence.

And while regulators have not issued numerous major fines in the first year of enforcement, the GDPR has served as a “step change that highlighted how badly the Internet and some businesses were handling people’s personal data,” according to WIRED.