Saturday marks the one-year anniversary of the European
Union’s General Data Protection Regulation (GDPR) compliance enforcement
deadline, and many are surprised by the lack of big fines and enforcement
actions taken by regulators so far.
“So far almost 100,000 privacy complaints have been filed
with national privacy regulators, though only a few have led to meaningful
penalties,” according to Politico. “Total fines have now reached roughly €56
million, although almost all of that came from a one-off €50
million levy against Google by French officials.”
France’s National Data Protection Commission (CNIL) fined
Google in January 2019 for violating GDPR’s transparency, information, and
“Despite the measures implemented by Google, the
infringements observed deprive the users of essential guarantees regarding
processing operations that can reveal important parts of their private life
since they are based on a huge amount of data, a wide variety of services, and
almost unlimited possible combinations,” CNIL said. The commission added that
the violations are “continuous breaches of the regulation as they are still
observed to date. It is not a one-off, time-limited infringement.”
Google is appealing CNIL’s fine. The company said in a
statement that it worked “hard to create a GDPR consent process for
personalized ads that is as transparent and straightforward as possible, based
on regulatory guidance and user experience testing,” according to Fortune.
Along with the Google fine, regulators made some moves that could
have ramifications for the security industry. For instance, Ireland’s Data
Privacy Commission (DPC) launched 52 formal statutory inquiries under the GDPR—some
based on complaints or through the scope of its own work.
“Shortly after the GDPR entered into force, the DPC launched
31 inquiries into public sector surveillance of citizens for law-enforcement
purposes through the use of CCTV, body cameras, drones, and other technologies,”
according to a white paper by the International Association of Privacy Professionals (IAPP).
Based on these inquiries, Ireland’s DPC will publish
guidance on CCTV, breach notification procedures, and other factors. It’s not
alone, either, as other regulators plan to issue additional guidance to help
companies remain—or achieve—compliance with the GDPR, including for connected
vehicles, projects related to blockchain, and artificial intelligence.
And while regulators have not issued numerous major fines in
the first year of enforcement, the GDPR has served as a “step change that
highlighted how badly the Internet and some businesses were handling people’s personal
data,” according to WIRED.