Quo vadis, GDPR enforcement? Tide is turning and it could affect your business

Posted on

28 Jun


Dittmar & Indrenius > Insight > Quo vadis, GDPR enforcement? Tide is turning and it could affect your business

Just before the summer, around EU’s General Data Protection Regulation’s (“GDPR”) birthday, it is usually a time to reflect at the past year and assess the functionality of the GDPR. Now that our beloved regulation has been applicable law for over 3 years, the discussion has shifted from the general interpretation and functionality of data protection obligations to efficient and harmonised enforcement of the GDPR across the EU. How are the data protection authorities handling the current situation?

At the time of the GDPR’s entry into force, much was made of article 83 of the regulation which empowers data protection authorities to impose administrative fines. Multiple businesses providing GDPR-related advisory services used this heavily as a selling point. So far, we have not (yet) seen any fines come even close to 4% of a company’s annual turnover – the maximum amount permitted in the GDPR’s enforcement provisions. However, we have seen that the supervision and enforcement practices of data protection authorities differ among themselves considerably, and that there is increasing pressure on the national authorities to get visible results and more robust supervisory mechanisms in place.

The European Court of Justice’s (ECJ) judgement of 15 June 2021 in case C-645/19 Facebook Ireland & Others highlighted this push for more efficient enforcement by establishing a national authority’s right to take a company to court in their own country – even when not the Lead Authority in the meaning of the GDPR’s One-Stop-Shop rule.

A comparison of the decision-making practices of different EU Member States’ data protection authorities reveals that there are significant inconsistencies among the enforcement practices of different national data protection authorities. There is substantial variation in the amounts and even in the legal basis of the sanctions. For example, the four fines issued in the UK come to a total of about 44 million euros, whereas the 79 fines imposed in Italy are altogether about 76 million euros.

The consistency mechanism also has its hiccups

When a company is established or the data processing takes place in more than one member state, the competent data protection authority will be wherever the group of companies is headquartered. This so-called One-Stop-Shop mechanism is one of the GDPR’s safeguards to ensure that supervisory authorities cooperate with each other. The supervisory authority’s unwillingness to take measures against a company or a mere lack of resources will result in an unstable practice and might cause a distorted competitive landscape. The uneven application of the GDPR’s enforcement mechanism can have a substantial impact on multinational companies, as there can be differences in the actions of supervisory authorities when interpreting the mechanism.

This raises the question of the GDPR’s functionality. This challenge to the One-Stop-Shop has also been noticed in practice and, in response, also in case law. The ECJ’s recent judgement mentioned above softens the interpretation of the One-Stop-Shop mechanism and extends the powers of data protection authorities in relation to multinational companies and cross-border cases. This ruling will preserve the effectiveness of national supervisory authorities’ cooperation and most likely increase the number of cases raised by authorities. A coherent enforcement ecosystem with consistent application is crucial for the protection of natural persons with regard to the processing of personal data and for the free movement of data and capital in the EU. Secondly, the unpredictability of the current operating environment hampers companies and other entities in pursuing GDPR compliance.

One could perhaps compare the current regulatory situation with the nuclear energy business

The way forward

Some critics have claimed that the supervision and cooperation is so unpredictable that some articles of the GDPR already need to be redrafted. Clearly, fully functional cooperation and an enforcement mechanism cannot be created overnight or merely by redrafting a few articles. But the European Commission is working to get the current regulatory framework to function at its fullest, and this combined with the ECJ’s recent judgement will – according to our estimate – lead to a significant increase in enforcement actions in Finland.

One could perhaps compare the current regulatory situation with the nuclear energy business:  the possible consequences of realised risks are impossible to predict, and if these risks materialise, they will translate into high sanctions and other costs. Nonetheless, here is what we can say about enforcement practices: both the sums and quantities of administrative fines have risen during the past 3 years, and the data protection authorities are slowly but surely finding their foothold and becoming more diligent at fully enforcing the GDPR.

More by the same author

First-ever Supreme Administrative Court rulings on GDPR fines – both for and against

The Supreme Administrative Court of Finland has issued its first decisions regarding administrative fines under the General Data Protection Regulation (the “GDPR”). Incidentally, the decisions concerned the first administrative fines imposed by the Finnish Data Protection Ombudsman back in 2020. The court’s essential arguments, as summarised below, may provide useful insights into how the appellate courts will interpret GDPR requirements and, especially, what aspects are key when challenging GDPR fines in the future.

D&I’s Innovation Powerhouse

2023 has kicked off with a bang! Our Innovation Powerhouse has been busier than ever working with cases and clients that (dare we say without sounding cliché?) inspire us every single day. Let’s take a look at what we have been up to and what we believe makes us the go-to partner for demanding clients working with innovations.

Old and New Elements of Cybersecurity

The current cybersecurity landscape has forced us to learn how to cope with surrounding cyber threats. By assisting our clients and international law firms in large and complex data breach incidents, we have learned the pain points and relieving factors in the data breaches of today. Based on our experience of the busiest ever data breach year of 2022, we predict that the increase of risks and malicious cyber attacks will just continue. Our team has compiled our key takeaways into five categories of the old and new elements of cybersecurity.

Latest insights

A year of big reforms – Review of Finnish merger control in 2023

Alert / 9 Feb 2024
Reading time 6 minutes

Update on Timing and Contents of the New Act Governing Permitting and Construction of Offshore Wind Power within the Finnish EEZ

Alert / 2 Feb 2024
Reading time 2 minutes