Three and a half years since it was passed into law, the General Data Protection Regulation is finally beginning to have an effect. The number of fines has picked up since 2020, above all thanks to Spain, though it is its two historic sanctions against Amazon and Whatsapp in the summer that show signs of the data protection revolution that many had hoped the regulation would unleash.
Both fines amount to 75% of the maximum punishment for violating one of the fundamental data protection rights in the European Union, the UK, Liechtenstein and Norway. A total of €1.3bn has been collected from eight hundred and eighty sanctions since May 2018. To the delight of EU institutions, it has been authorities in Luxembourg and Ireland, key to the implementation of GDPR rules as bases for many of the largest tech corporations in Europe and who, up until now, have seemed rather laid back, who are now baring their teeth.
The source is Privacy Affairs , a group of data security professionals and tech journalists spread across the world who are monitoring GDPR sanctions that member states make public.
The imposition of fines was not exactly a guiding principle of GDPR but it provides a good indication of how frequently the law is being applied. GDPR conferred on its member states the power to issue warnings and, in the most serious of cases, fines if an article of the regulation was violated. The final economic punishment is decided by each agency according to the gravity, the intentionality and the cooperation of the company facing the fine, with a maximum amount of €20m or the equivalent of 4% of annual income, whichever is greater.
A lack of fines would more likely show the limited application of the law rather than perfect abidance by it.
Spain: The great defender of internet users
At the time of writing, Spain has issued more fines than any other country, with a third of the total (303), followed in the distance by Italy (91) and Romania (91). For Juan Fernando López Aguilar, Chair of the Committee on Civil Liberties, Justice and Home Affairs, Spain “has a high awareness of digital rights” and the Ministry of Justice and the Spanish Data Protection Agency “were especially well prepared to implement the new law”.
The socialist MEP explains that “many cases have been brought to the attention of the European judiciary by Spain, such as the right to be forgotten [the Spanish judiciary first recognised this in 2015 in a legal dispute with Google that ended up in the European courts]”.
The good work of Spain’s data protection agency has not, however, meant that the country has taken in the biggest haul from those falling foul of the law. The richest takings have gone to Luxembourg and Ireland, countries who have, paradoxically, only handed out eleven and nine fines respectively, though among those fines are some of the largest in the history of GDPR.
In particular, Luxembourg’s National Commission for Data Protection fined Amazon € 746m in July for illegally using the data of its clients to design more personal advertising. On their part, the Irish Data Protection Committee did the same to Whatsapp in September, who they fined €226m for not correctly informing their European users about the way that they shared data with Facebook.
Beyond these record figures – the subsequent legal battle started by the fined companies, with teams of powerful lawyers, will probably lead to a reduction –, both cases have marked a before and after in the enforcement of GDPR and its protagonists. It has changed the game for both Big Tech, who had dodged GDPR rules up until this point, and for Luxembourg and Ireland, who had previously been hamstringing its implementation.
The One Stop Shop, a double-edged sword
In order to avoid overlaps, GDPR rules dictate that it must be the country in which an offending company is based that brings the case to the European course. This mechanism, known as the ‘one stop shop’, privileged companies based in Ireland – the European base for Apple, Facebook, Google, Microsoft and Twitter among others – and Luxembourg – home to Amazon and Paypal. Their generous corporation tax rates had already led the European Parliament to conclude in 2019 that both Luxembourg and Ireland resembled tax havens and this made them the perfect European base for US multinationals.
Little by little, complaints to Data Protection Agencies about the two countries from other EU member states were piling up, particularly in the case of Ireland which received 21% of all complaints, according to data from the Irish Council for Civil Liberties . Due to the inaction and lack of decisions by Irish authorities, the European Parliament recommended to the European Commission that it begin infringement proceedings against Ireland due to its failure to enforce GDPR laws.
This is why the two fines handed out in Dublin and Luxembourg have been hailed in Brussels, because they place both countries on the necessary path towards an across-the-board European implementation of data protection standards. It is, however, a cautious optimism, given that Ireland’s Data Protection Commission still has 98% of unresolved transnational cases.
In fact, when contacted about these issues, sources from the Committee mentioned “two important decisions” that had been made by both countries, though they recognise that collaboration between authorities needs to improve” and that, for the system to work, “it is crucial to develop confidence and foster a European spirit of cooperation”.
Towards a common culture of data protection
GDPR’s recent lift off has also come as a result of much greater funding for national data protection agencies. The Irish agency had been underfunded for two decades, which provided directors with an excuse for its sluggishness.
But the reality is that the constituent bodies within these agencies have not stopped growing in recent years: in 2016, the combined cost of all the EU’s data protection agencies was €162m, whereas this figure has risen to €295m in 2021. There is still, however, a large disparity in spending between member states: Germany, which has a federal agency and sixteen regional ones, makes up 32% of the European spend in this area, while nine countries respectively spend less than €2m annually.
In this respect, the European Committee for Data Protection , the body entrusted with creating a uniform application for data protection laws and cooperation between national authorities, asserts that “the successful prosecution of transnational cases requires a lot of time and resources”, and that’s why “it is fundamentally important that national governments adequately fund their regulators”.
The European agencies’ formula has shown to be most effective: time and resources. The enforcement of GDPR is still asymmetrical, uncoordinated and often toothless, but the foundations of an effective data protection scheme will take time to build. Little by little, the directors are harmonising their criteria, creating precedents which allow them to effectively implement some of the most ambitious and wide-ranging data protection laws in the world.