Notable GDPR Enforcement Actions in the First Year and Key Takeaways

Published On May 24, 2019 | By Michelle Anderson, Plamena Gerovska and Mason Weisz | Data Security, General, International, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

In the year since the General Data Protection Regulation (“GDPR”) went into effect on May 25, 2018, companies worldwide have been adapting to the new privacy rules—and EU regulators have also been busy adjusting to the new regime, handling an influx of data subject complaints, issuing guidelines and opinions, conducting investigations, and bringing enforcement actions for violations of the GDPR.

While regulators’ priorities vary slightly by jurisdiction, common issues for complaints and enforcement relate to marketing and advertisingdata security and data breachesdata subject rights, and processing sensitive personal data and personal data of children. The European Commission reported that since May 25, 2018, European data protection authorities have received 144,376 GDPR complaints, mostly regarding telemarketing, promotional emails, and video surveillance/CCTV, and 89,271 data breach notifications.

The biggest fine to-date (EUR 50 million) was issued against Google by the French data protection authority (the “CNIL”), which alleged, among other things, that Google failed to be transparent about its marketing activities and did not obtain valid consent for personalized advertising. Despite the oft-cited potential penalties under the GDPR of the greater of EUR 20 million or 4% annual global turnover, however, most enforcement actions thus far have not imposed fines of similar heft. Instead, many regulators seem to have exercised restraint, understanding that all companies are adjusting to the GDPR. 

Looking ahead, we expect regulators to continue to focus on these areas, and a number of regulators have already indicated their interest in these issues. At the IAPP Global Privacy Summit, Elizabeth Denham, head of the UK Information Commissioner, noted that her enforcement priorities include ensuring that the online advertising industry is transparent and fairand that companies comply with the GDPR’s strengthened privacy protections for children. In April 2019, the CNIL similarly emphasized the importance of children’s data, stating in its working plan for 2019 that its activities will focus on inspections of companies’ compliance with processing children’s datadata subjects’ rights, and the division of responsibilities between data controllers and processors. We also anticipate seeing higher fines, as enforcement actions and regulatory guidance provide companies with a better understanding of their compliance obligations—and fewer excuses for non-compliance.

For a sampling of enforcement actions and links to regulatory reports from May 25, 2018 – May 25, 2019, please click on a country below.

GDPR_Update Placeholder
GDPR_Update

About The Authors

Michelle Anderson counsels clients on a range of privacy, security, and consumer protection matters. She works closely with clients to understand their goals and risk profiles to help develop strategies for compliance with domestic and international privacy and security laws and regulations.

Prior to joining ZwillGen, Plamena served as a Privacy Analyst at Promontory Financial Group, an IBM company, where she assisted attorneys on compliance with the EU General Data Protection Regulation (“GDPR”), Russian data localization laws and other international privacy laws. Before that, Plamena spent a summer interning at different London law firms supporting the technology teams on issues related to the UK data protection laws and international data transfers.

Mason helps clients navigate a constantly shifting web of domestic and international laws regulating data collection, marketing, data sharing, computer crime, data security, electronic surveillance, online content, children’s privacy, financial privacy, information management, and other areas of privacy and Internet law. A former web designer, he has extensive experience with issues relating to digital media, new technology and e-commerce.

Leave a Reply

Your email address will not be published. Required fields are marked *