Three and a half years since it was passed into law, the General Data Protection Regulation is finally beginning to have an effect. The number of fines has picked up since 2020, above all thanks to Spain, though it is its two historic sanctions against Amazon and Whatsapp in the summer that show signs of the data protection revolution that many had hoped the regulation would unleash.
Both fines amount to 75% of the maximum punishment for violating one of the fundamental data protection rights in the European Union, the UK, Liechtenstein and Norway. A total of €1.3bn has been collected from eight hundred and eighty sanctions since May 2018. To the delight of EU institutions, it has been authorities in Luxembourg and Ireland, key to the implementation of GDPR rules as bases for many of the largest tech corporations in Europe and who, up until now, have seemed rather laid back, who are now baring their teeth.
The source is Privacy Affairs , a group of data security professionals and tech journalists spread across the world who are monitoring GDPR sanctions that member states make public.
The imposition of fines was not exactly a guiding principle of GDPR but it provides a good indication of how frequently the law is being applied. GDPR conferred on its member states the power to issue warnings and, in the most serious of cases, fines if an article of the regulation was violated. The final economic punishment is decided by each agency according to the gravity, the intentionality and the cooperation of the company facing the fine, with a maximum amount of €20m or the equivalent of 4% of annual income, whichever is greater.
A lack of fines would more likely show the limited application of the law rather than perfect abidance by it.
Spain: The great defender of internet users
At the time of writing, Spain has issued more fines than any other country, with a third of the total (303), followed in the distance by Italy (91) and Romania (91). For Juan Fernando López Aguilar, Chair of the Committee on Civil Liberties, Justice and Home Affairs, Spain “has a high awareness of digital rights” and the Ministry of Justice and the Spanish Data Protection Agency “were especially well prepared to implement the new law”.
The socialist MEP explains that “many cases have been brought to the attention of the European judiciary by Spain, such as the right to be forgotten [the Spanish judiciary first recognised this in 2015 in a