Quo vadis, GDPR enforcement? Tide is turning and it could affect your business

Posted on

28 Jun

2021

Dittmar & Indrenius > Insight > Quo vadis, GDPR enforcement? Tide is turning and it could affect your business

Just before the summer, around EU’s General Data Protection Regulation’s (“GDPR”) birthday, it is usually a time to reflect at the past year and assess the functionality of the GDPR. Now that our beloved regulation has been applicable law for over 3 years, the discussion has shifted from the general interpretation and functionality of data protection obligations to efficient and harmonised enforcement of the GDPR across the EU. How are the data protection authorities handling the current situation?

At the time of the GDPR’s entry into force, much was made of article 83 of the regulation which empowers data protection authorities to impose administrative fines. Multiple businesses providing GDPR-related advisory services used this heavily as a selling point. So far, we have not (yet) seen any fines come even close to 4% of a company’s annual turnover – the maximum amount permitted in the GDPR’s enforcement provisions. However, we have seen that the supervision and enforcement practices of data protection authorities differ among themselves considerably, and that there is increasing pressure on the national authorities to get visible results and more robust supervisory mechanisms in place.

The European Court of Justice’s (ECJ) judgement of 15 June 2021 in case C-645/19 Facebook Ireland & Others highlighted this push for more efficient enforcement by establishing a national authority’s right to take a company to court in their own country – even when not the Lead Authority in the meaning of the GDPR’s One-Stop-Shop rule.

A comparison of the decision-making practices of different EU Member States’ data protection authorities reveals that there are significant inconsistencies among the enforcement practices of different national data protection authorities. There is substantial variation in the amounts and even in the legal basis of the sanctions. For example, the four fines issued in the UK come to a total of about 44 million euros, whereas the 79 fines imposed in Italy are altogether about 76 million euros.

The consistency mechanism also has its hiccups

When a company is established or the data processing takes place in more than one member state, the competent data protection authority will be wherever the group of companies is headquartered. This so-called One-Stop-Shop mechanism is one of the GDPR’s safeguards to ensure that supervisory authorities cooperate with each other. The supervisory authority’s unwillingness to take measures against a company or a mere lack of resources will result in an unstable practice and might cause a distorted competitive landscape. The uneven application of the GDPR’s enforcement mechanism can have a substantial impact on multinational companies, as there can be differences in the actions of supervisory authorities when interpreting the mechanism.

This raises the question of the GDPR’s functionality. This challenge to the One-Stop-Shop has also been noticed in practice and, in response, also in case law. The ECJ’s recent judgement mentioned above softens the interpretation of the One-Stop-Shop mechanism and extends the powers of data protection authorities in relation to multinational companies and cross-border cases. This ruling will preserve the effectiveness of national supervisory authorities’ cooperation and most likely increase the number of cases raised by authorities. A coherent enforcement ecosystem with consistent application is crucial for the protection of natural persons with regard to the processing of personal data and for the free movement of data and capital in the EU. Secondly, the unpredictability of the current operating environment hampers companies and other entities in pursuing GDPR compliance.

One could perhaps compare the current regulatory situation with the nuclear energy business

The way forward

Some critics have claimed that the supervision and cooperation is so unpredictable that some articles of the GDPR already need to be redrafted. Clearly, fully functional cooperation and an enforcement mechanism cannot be created overnight or merely by redrafting a few articles. But the European Commission is working to get the current regulatory framework to function at its fullest, and this combined with the ECJ’s recent judgement will – according to our estimate – lead to a significant increase in enforcement actions in Finland.

One could perhaps compare the current regulatory situation with the nuclear energy business:  the possible consequences of realised risks are impossible to predict, and if these risks materialise, they will translate into high sanctions and other costs. Nonetheless, here is what we can say about enforcement practices: both the sums and quantities of administrative fines have risen during the past 3 years, and the data protection authorities are slowly but surely finding their foothold and becoming more diligent at fully enforcing the GDPR.

More by the same author

Ovatko monimuotoisuus-kartoitukset mahdollisia Suomessa?

Organisaatioiden monimuotoisuus ja inklusiivisuus ovat vastuullisuuden keskeisiä elementtejä ja samalla kilpailukykytekijöitä. Erityisesti kansainvälisillä organisaatioilla on jo laajasti käytössä monimuotoisuuteen liittyviä tavoitteita ja menettelytapoja monimuotoisuuden mittaamiseksi. Suomessa työelämän tietosuojasääntely asettaa kuitenkin merkittäviä rajoituksia monimuotoisuusdatan keräämiselle. Monimuotoisuuden johtaminen dataa hyödyntäen ei kuitenkaan ole Suomessa mahdotonta.

It all comes down to innovation

Through this Quarterly, we at Dittmar & Indrenius’ Innovation Powerhouse invite you to a backstage tour into the various, exceptional and exciting ways that regulation and innovation meet in our work as attorneys. The way we see it, a revolution is underway, and no one can escape its reach.

Service provider selection and negotiation in 2021

The procurement of modern ICT services is a lively sector, characterised not only by challenges present in all types of procurement, but also by its highly distinctive features. When procuring standardised services from established and widely operating suppliers, the customer’s negotiating position can be rather restricted. At the same time, ICT procurement constitutes a significantly business-critical sector for many companies where the customer must ensure certain minimum requirements in selecting the service provider and negotiating the relevant contractual terms.

Latest insights

KKO: Muun työn tarjoaminen yksilöimättömillä rekrytointikirjeillä teki irtisanomisesta lainvastaisen

Alert / 17 May 2022
Reading time 3 minutes

Riitaan ei tarvita kahta

Article / 12 May 2022
Reading time 3 minutes