The birthday of the GDPR is just passing, and this is also the expiry of the deadline for some data protection authorities to be more tolerant on the issue of privacy fines. What’s going to happen next?
The birthday of the GDPR passed with the end of the transitional period for fines
On May 20, 2019, the effectiveness of the interim rule set forth in the Italian Privacy Code under which the data protection authority “would have taken into account” for the application of the administrative sanctions provided for by the GDPR of the phase of their first application ceases to apply.
This provision had caused a stir among privacy experts. It was not clear what the term “take into account” means for calculating sanctions, especially concerning obligations that in some cases reflect principles already dictated by Italian privacy law since 1996.
It is like admitting that compliance with the privacy regulations before the advent of the GDPR sanctions was not considered relevant by the companies that now realize that they must take action.
In the same way, the Italian legislator seemed not to have taken into account that the GDPR is an EU Regulation and, as such, does not need to be implemented, its provisions have direct application and the space of discretion left to the EU Member States is limited to what is expressly stated by the regulation itself. Therefore, the Italian data protection authority has not been able to issue sanctions lower than those provided for by the GDPR.
However, even the French Privacy Authority, the CNIL, had provided for a moratorium of 12 months up to the first birthday of the GDPR to apply its sanctions. However, we also know how it went. The € 50 million fine issued by the CNIL against Google is by far the highest sanction for violation of privacy laws ever adopted (Read “What does Google € 50 million GDPR fine mean for privacy compliance?“). It could even be surpassed, however, by sanctions that, based on the latest rumors, are likely to be issued against Facebook in connection with events related to the Cambridge Analytics scandal.
With the above provision, it seemed that the legislator had sent companies to “try” to comply with the GDPR in these early months. But I remember a famous Star Wars quote from Master Yoda,
Try not! Do or don’t do, there’s no trying!
The approach of some companies during the last months in many cases has been to “try” to do what required by the GDPR and to have a plan to comply with the GDPR. All this happened mainly in the months before May 25, 2018, with levels of internal pressure that increased significantly in the days immediately before the deadline.
Are companies ready for GDPR sanctions?
What surprisingly happened since May 25, 2018, has been a significant reduction in the priority level that companies have given to the need to comply with the GDPR. Some companies had planned to invest millions in 2018 in their privacy program and then have not allocated almost any amount to it in 2019. As if the obligations provided by the EU Privacy Regulations were reduced to procedures and technical measures that, once adopted, secure the company forever!
Also, the scenario we found in some cases was that companies had adopted privacy information notices, records of the data processing and privacy-related procedures before May 25th, 2018, but these did not reflect the actual company’s operations in any way. These measures were taken before the deadline, only because the top management had discovered the importance of privacy compliance during those days when the news of the new EU privacy legislation was in all newspapers. However, other priorities later became more relevant, and the mere “formal” approach mentioned above remained.
The beginning of new dawn raids by the Italian data protection authority
The Garante gave a first warning signal, and in the last few months, it restarted his privacy dawn raids with the support of the Italian tax police, the Guardia di Finanza. The peculiarity that we have found in the post-25 May 2018 inspections is given by the level of detail of the requests addressed to the investigated companies.
There are endless lists of information that are requested and verified by the authority, even accessing the computer systems of companies to check the correspondence between what is indicated in the documentation and the actual operations.
Companies are often not prepared for these inspections. This scenario is true more often in multinationals that adopted very sophisticated programs to comply with the GDPR. However, they then decided that a localization based on the actual processing of personal data by each company of the group, on the approach by the local data protection authority and the local provisions integrating the GDPR, would be too burdensome for the group.
In many cases, the solution has been to adopt the same procedures, privacy information notices, organizational and security measures and requirements for all the companies in the group, with records of data processing that have a limited level of customization to the operations of each company. All this documentation often contains provisions of mere principle that can hardly be read as specific instructions to those actually processing personal data. Similarly, in some cases, documents are not translated into the local language, adding a further complication because the local privacy authority is unlikely to accept documents in a foreign language.
This scenario often happens in a context where a single group DPO is identified at the global level, and he is hardly accessible, has no in-depth knowledge of the local situation, cannot be present in the case of privacy dawn raids and in most of the cases does not speak the local language.
These circumstances are negatively considered by data protection authorities (and in particular the Italian Data Protection Authority, the Garante) in the context of inspection and inevitably increase the risk of being sanctioned. This risk is further strengthened by the fact that companies are sometimes not ready to handle a dawn raid. Procedures for the management of tax investigations or so-called antitrust dawn raids are widespread. However, not many companies have adopted them for privacy inspections.
You can read on the topic “Top 5 immediate actions to get ready for Italian privacy dawn raids“.
The first sanction issued by the Italian data protection authority under the GDPR
The only sanction issued to date by the Garante under the GDPR was of € 50,000 for failure to adopt the security measures required following the occurrence of the data breach relating to websites of the political party which is currently in the Italian Government, the 5 Star Movement.
This decision is interesting for two reasons.
It was issued by the Italian data protection authority against a data processor, instead of the data controller. This situation is a new element introduced by the European Privacy Regulation. It is no longer only the data controller who is responsible for compliance with the obligations relating to the processing of personal data.
Service providers are no longer “protected” by their customers with respect to possible sanctions. If it is shown that the application of the sanction was a consequence of their misconduct or in violation of the GDPR, they can be directly sanctioned.
This scenario does not mean, however, that the data controller is exempt from checking the compliance of its data privacy with the privacy regulations. On the contrary, this is an obligation expressly provided for by the GDPR which, in the event of non-compliance, may also result in a sanction against the data controller for the conduct of its data controllers.
You can read on the topic “First GDPR fine issued in Italy.”
The criteria for calculating the sanctions provided for by the GDPR
A second interesting element of the decision that led to the first GDPR fine also concerns the amount of the sanction. The Garante does not provide much information on the criteria used to calculate the amount. This situation is precisely one of the elements of uncertainty in the GDPR which
- does not provide for a minimum amount of sanctions;
- provides only for a maximum amount, with the sole variant that penalties may be up to €10 million or €20 million, or for companies, up to 2% or 4% of the total annual worldwide turnover of the preceding business year; and
- sets out broad criteria for the calculation of sanctions.
All these elements leave a high level of discretion to the data protection supervisory authorities in the calculation of the applicable sanction, with the aggravating circumstance that – given the recent beginning of the applicability of the GDPR – there are not many precedents to be used as a benchmark.
Given the affinity of the type of sanction, it is likely that data protection authorities will take into account some criteria developed over the years by the antitrust authorities. However, also in light of the very wide “range” relative to the amount of the possible sanction, it is probable that any sanction of a non-insignificant amount will result in lengthy litigation. To confirm this, Google already announced that it will appeal against the € 50 million fine imposed by the CNIL.
How high is the risk of privacy sanctions under the GDPR?
According to the European Data Protection Board, the total amount of privacy fines issued before the first birthday of the GDPR was € 55,955,871. It is not clear whether such amount also includes fines issued during the 12 month period, but under the previous regime.
We have been monitoring the sanctions that have been issued by the European data protection authorities in the main jurisdictions. In the chart below, I have not included the € 50 million fine issued by the CNIL because it is considerably higher than the other sanctions and would have made the image illegible.
From these data, it emerges that all the European privacy authorities issued sanctions of a significantly lower amount than the CNIL. The second significant sanction was issued by the Portuguese authority which in a single proceeding issued a fine of € 400 thousand against a hospital for abusive access to patient data. But the German privacy authorities were the most active with 21 proceedings concluded concerning disputes arising after May 25, 2019.
It is not clear whether these data should be of comfort to companies. It cannot be guaranteed that this “light” approach will be confirmed in the coming months. Just the first birthday of the GDPR passed, but it is undoubtedly true that the GDPR’s “far west” is just beginning.
Some of these issues will be discussed in Rome on the 29th of May 2019 at our privacy event dedicated to the birthday of the GDPR, whose details are available here.