The report published by DLA Piper on GDPR fines and data breach notifications offers a snapshot of what has happened in the privacy world during the past 12 months with mixed signals, also relating to Italy.
The total amount of sanctions issued by data protection supervisory authorities in the European Economic Area plus Great Britain under the GDPR since May 25, 2018, is € 272.5 million, with € 158.5 million in fines over the past 12 months. This circumstance shows how, despite the Covid-19 emergency, the privacy authorities’ activity has not stopped.
The highest GDPR fine to date remains the € 50 million sanction imposed on Google by France’s data protection authority, the CNIL, for alleged violations of the GDPR’s transparency principle and lack of valid consent. The data protection authority of Italy tops the list for the total value of GDPR fines issued since the beginning of GDPR applicability with more than € 69.3 million, followed by the German and French data protection authorities.
Interestingly, these fines do not stem from breaches that normally grab the headlines, such as data breaches resulting from a cyber attack. The highest Italian penalties are all related to the processing of personal data resulting from telemarketing activities, where issues like the validity of the consent collected from the data subjects, the transfer of data from the so-called data brokers to the companies in whose interest the telemarketing is carried out and the control on the proper operation of call centers that were tackled.
The position taken by the Garante in these disputes is, to say the least, questionable, as are the criteria followed for the calculation of the applicable sanctions. Unlike what happened in countries like Germany, the Italian data protection authority methodology is unclear. It is only known that for the highest GDPR fines, 0.2% of the company’s turnover was considered in Italy. This uncertainty has an operational impact on companies that have difficulty quantifying the actual extent of the “privacy risk” resulting from a violation.
Also singular, to say the least, are the GDPR fines issued by the UK privacy watchdog, the Information Commissioner Office (ICO), which issued two notices of its intention to fine totaling € 382 million in July 2019 and then reduced the amount of those penalties to € 22.2 million and € 20.4 million. The fact that the disputed companies operate in the tourism and transport sector, which has already paid a heavy price due to the Covid-19 emergency, played a significant role in this reduction. And such a tolerant stance has not been taken by other European privacy authorities, however, and this circumstance may be just one of the first that after Brexit will differentiate the application of GDPR principles in Great Britain from the way they are applied in the European Economic Area.
In terms of the number of data breach notifications, in aggregate, there have been more than 281,000 personal data breach notifications since the GDPR’s applicability began, with Germany (77,747), The Netherlands (66,527) and the United Kingdom (30,536) topping the list for the number of data breaches notified to regulators. In contrast, France and Italy, countries with over 67 million and 62 million, recorded only 5,389 and 3,460 notifications during the same period, illustrating cultural differences in the approach to breach notification.
There is no doubt that the low number of data breach notifications in Italy can also be explained by the level of attention that our Garante places on the content of notifications, which, based on my experience, are often followed by requests for information. The fear that a challenging procedure leading to a sanction will begin clearly acts as a deterrent for companies, without thinking that failure to notify can further increase the value of the potential sanction.
I do not believe that every data breach should lead to a notification to the data protection supervisory authority because this course of action is contrary to the rules of the GDPR and the principle of accountability. However, before deciding not to notify a data breach, the company must justify it based on a report that certainly the privacy authority will require in the event of an investigation. In this task, considerable support is provided by the new data breach self-assessment service recently launched by the Garante. Still, there are also legal tech tools that are perhaps more structured and able to provide a more detailed outcome, such as DLA Piper’s NOTIFY.
Image courtesy Jernej Furman