Today is GDPR’s second anniversary
Two years have passed since the updated General Data Protection Regulation (GDPR) has changed the European data protection landscape. As of 25 May 2018, there is a single set of data protection rules for all companies operating in the EU, wherever they are based.
Traditionally, PaySpace Magazine wants to reveal the most recent GDPR-related data, the most significant legal cases, and the impact it has made in other regions of the world.
Amazing GDPR statistics
Within the last year, the total amount of GDPR fines has grown almost three times (from €56M to €153M).
Google’s penalty remains the largest fine issued up to date. As we have already written in 2019, French data regulator CNIL fined Google €50 million for the failure to explain properly how it collected users’ data and what for along with its shady mechanism of personalized ads targeting.
According to DLA Piper’s latest GDPR Data Breach Survey, over 160,000 data breach notifications have been reported across the 28 European Union Member States plus Norway, Iceland and Liechtenstein for the May 2018 – January 2020 period.
The Netherlands, Germany, and the UK topped the infamous rating of the biggest number of data breaches notified to national regulators (40,647; 37,636 and 22,181 notifications accordingly).
Meanwhile, France, Germany, and Austria lead the rankings for the highest total value of GDPR fines imposed with roughly €51 million (€50M for Google France alone), €24.5 million and €18 million.
The leading European Union privacy regulator for most of the big-tech cases, the Irish Data Protection Commission (DPC) reported that 6 new statutory inquiries have been opened in relation to multinational technology companies’ compliance with the GDPR, bringing the total number of cross-border inquiries to 21. However, no major decisions on these cases have been taken yet. In fact, the fine issued to Google has been the only legal exposure of data privacy violations by tech giants in the EU so far. The cross-border nature of such investigations significantly complicates and holds up the legal proceedings.
GDPR fines, scandals and allegations
Google’s record fine was obviously not enough for the company to review its policies in compliance with the new GDPR. In March 2020, the Swedish Data Protection Authority issued another €7M fine to Google Inc. for failing to adequately comply with its obligations regarding the right of data subjects to have their search results removed from Google search. The Authority also questioned Google’s practice of informing website owners about which search results were removed and specifically who was behind the removal request.
Furthermore, in February 2020, The Irish Data Protection Commission (DPC) has finally opened a formal investigation into the legality of the tech giant’s processing of location data, more than a year after receiving a series of complaints from consumer rights groups across Europe. BEUC, an umbrella group for European consumer rights groups, said the complaints about “deceptive” location tracking were filed back in November 2018 — several months after GDPR came into force.
The second-highest fine imposed by European data protection authorities was issued in Italy this year. The Telecom Provider TIM received a huge fine of €27,8M for unsolicited promotional calls to several million individuals and including their customers’ data in prize competitions without consent. One person complained to have received 155 calls in a month after several requests to opt-out. In about two hundred thousand cases, operators used ‘off-list’ numbers not included in TIM’s marketing list. The DPA determined that the company lacked control over its call centers, along with having weak privacy and data processing policies.
In Austria, the national Post was fined €18M for selling detailed personal profiles of approximately 3 million citizens to various companies and political parties. The Post management used customers’ data, such as ages and addresses, to calculate a probability of which political party they might support. However, the Post representatives consider the decision “to be incorrect in terms of content and the sentence imposed to be completely excessive. We have always emphasized that the forecasts are statistical extrapolations and not actually personal data, the data has already been deleted”, hence, it planned to appeal the decision.
British Airways and Marriott International
Nevertheless, all these numbers won’t seem high if the UK’s ICO finalizes its decisions against British Airways and Marriott International.
We shall remind that UK organizations that process personal data are currently bound by two laws: the EU GDPR and the UK DPA (Data Protection Act) 2018. Both laws continue to apply until the end of the Brexit transition period on 31 December 2020.
In July 2019, The UK’s independent authority – Information Commissioner’s Office (ICO) – issued a notice of its intention to fine British Airways £183.39M which is approximately €205M for the hacker’s attack which affected half a million of its customers and occurred between April and September 2018.
The next day, the ICO slapped a near-£100 million (€110M) fine on the hotel group Marriott International, which suffered a massive global hack in autumn 2018 with records of 339 million guests stolen. It is believed the vulnerability began when the systems of the Starwood hotel group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.
Both cases are not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The company representatives still have the chance to defend their case and negotiate the fine amount.
Swedish retail giant, H&M is another candidate for a massive fine. The German DPA has suspected H&M of spying on its employees and also illegally storing their private healthcare records and data on family backgrounds. The suspicion of massive violations of data protection rights of the employees has been confirmed at least at the location in Nuremberg. The investigation goes on.
Dating app Tinder is one of the latest tech services to find itself under formal investigation in Europe over GDPR-compliance. The Irish DPC said complaints about the dating app have been made from individuals in multiple EU countries, not just in Ireland — with the Irish regulator taking the lead under a GDPR mechanism to manage cross-border investigations. In particular, some users have accused the company of not providing a copy of all the data it holds on them.
Although this company is not under a formal probe yet, many experts suggest the lack of transparency and the distribution of information to a third party without user consent are a clear breach of GDPR.
For instance, Tara Taubman-Bassirian, a French-born, London-Based lawyer and privacy advocate, told SecurityWeek. “With the lack of transparency, the host holds many capabilities that are unknown to the participant, such as recording and further broadcasting.”
Considering the scope of the app usage related to COVID-19 restrictions, the issue gains huge importance. According to Wired, during the first two months of 2020, Zoom added more users than the entirety of 2019, whereas even the UK’s Cobra team, the cabinet members tasked with tackling the coronavirus crisis, are using the app to host their meetings remotely.
International Impact of the GDPR
Globally, there is an increasing growth in data protection (sometimes referred to as data privacy in non-EU countries) laws. Many of these laws are strongly influenced by the EU rules, which have long been considered the gold standard in data protection law.
Over 100 countries around the world now have data protection laws in place: fewer than half of these countries are in Europe (28 EU Member States and others). The majority of data protection laws have been adopted outside of Europe, with the fastest growth seen in African countries.
So far 24 African countries, out of 53, have adopted laws and regulations to protect personal data, and the number is slowly rising. The EU GDPR stands as a model for many. Yet Raymond Onuhoa, a researcher at the Lagos Business School, insisted that “we need to elaborate laws that fit the local context, without plainly replicating the provisions of other frameworks”.
2020 will be a crucial year for enforcing data protection policies all over the continent. This year, at least twenty African countries will go to the polls, for both legislative and presidential elections, and citizens will express their voting preferences thanks to biometric voting systems. The latter features a card that stocks their facial images, fingerprints, and iris scans. Misuse of the data stored there can be dramatic.
Recently, a number of Asian countries – including China, India, South Korea, Vietnam, Malaysia, Thailand, and Indonesia – have either introduced or enhanced existing cybersecurity or data protection legislation. Though many legal initiatives were GDPR-inspired, some countries extended their reach further than their European counterparts.