Quo vadis, GDPR enforcement? Tide is turning and it could affect your business

Posted on

28 Jun

2021

Dittmar & Indrenius > Insight > Quo vadis, GDPR enforcement? Tide is turning and it could affect your business

Just before the summer, around EU’s General Data Protection Regulation’s (“GDPR”) birthday, it is usually a time to reflect at the past year and assess the functionality of the GDPR. Now that our beloved regulation has been applicable law for over 3 years, the discussion has shifted from the general interpretation and functionality of data protection obligations to efficient and harmonised enforcement of the GDPR across the EU. How are the data protection authorities handling the current situation?

At the time of the GDPR’s entry into force, much was made of article 83 of the regulation which empowers data protection authorities to impose administrative fines. Multiple businesses providing GDPR-related advisory services used this heavily as a selling point. So far, we have not (yet) seen any fines come even close to 4% of a company’s annual turnover – the maximum amount permitted in the GDPR’s enforcement provisions. However, we have seen that the supervision and enforcement practices of data protection authorities differ among themselves considerably, and that there is increasing pressure on the national authorities to get visible results and more robust supervisory mechanisms in place.

The European Court of Justice’s (ECJ) judgement of 15 June 2021 in case C-645/19 Facebook Ireland & Others highlighted this push for more efficient enforcement by establishing a national authority’s right to take a company to court in their own country – even when not the Lead Authority in the meaning of the GDPR’s One-Stop-Shop rule.

A comparison of the decision-making practices of different EU Member States’ data protection authorities reveals that there are significant inconsistencies among the enforcement practices of different national data protection authorities. There is substantial variation in the amounts and even in the legal basis of the sanctions. For example, the four fines issued in the UK come to a total of about 44 million euros, whereas the 79 fines imposed in Italy are altogether about 76 million euros.

The consistency mechanism also has its hiccups

When a company is established or the data processing takes place in more than one member state, the competent data protection authority will be wherever the group of companies is headquartered. This so-called One-Stop-Shop mechanism is one of the GDPR’s safeguards to ensure that supervisory authorities cooperate with each other. The supervisory authority’s unwillingness to take measures against a company or a mere lack of resources will result in an unstable practice and might cause a distorted competitive landscape. The uneven application of the GDPR’s enforcement mechanism can have a substantial impact on multinational companies, as there can be differences in the actions of supervisory authorities when interpreting the mechanism.

This raises the question of the GDPR’s functionality. This challenge to the One-Stop-Shop has also been noticed in practice and, in response, also in case law. The ECJ’s recent judgement mentioned above softens the interpretation of the One-Stop-Shop mechanism and extends the powers of data protection authorities in relation to multinational companies and cross-border cases. This ruling will preserve the effectiveness of national supervisory authorities’ cooperation and most likely increase the number of cases raised by authorities. A coherent enforcement ecosystem with consistent application is crucial for the protection of natural persons with regard to the processing of personal data and for the free movement of data and capital in the EU. Secondly, the unpredictability of the current operating environment hampers companies and other entities in pursuing GDPR compliance.

One could perhaps compare the current regulatory situation with the nuclear energy business

The way forward

Some critics have claimed that the supervision and cooperation is so unpredictable that some articles of the GDPR already need to be redrafted. Clearly, fully functional cooperation and an enforcement mechanism cannot be created overnight or merely by redrafting a few articles. But the European Commission is working to get the current regulatory framework to function at its fullest, and this combined with the ECJ’s recent judgement will – according to our estimate – lead to a significant increase in enforcement actions in Finland.

One could perhaps compare the current regulatory situation with the nuclear energy business:  the possible consequences of realised risks are impossible to predict, and if these risks materialise, they will translate into high sanctions and other costs. Nonetheless, here is what we can say about enforcement practices: both the sums and quantities of administrative fines have risen during the past 3 years, and the data protection authorities are slowly but surely finding their foothold and becoming more diligent at fully enforcing the GDPR.

More by the same author

It all comes down to innovation

Through this Quarterly, we at Dittmar & Indrenius' Innovation Powerhouse invite you to a backstage tour into the various, exceptional and exciting ways that regulation and innovation meet in our work as attorneys. The way we see it, a revolution is underway, and no one can escape its reach. (more…) Read more

Service provider selection and negotiation in 2021

The procurement of modern ICT services is a lively sector, characterised not only by challenges present in all types of procurement, but also by its highly distinctive features. When procuring standardised services from established and widely operating suppliers, the customer’s negotiating position can be rather restricted. At the same time, ICT procurement constitutes a significantly… Read more

Winds of change in IPR agreements

It comes as no surprise to our readers that, as a global trend, the value of intellectual property rights (or IPRs, as we often refer to them) and the revenue they bring in is on the rise. Neither will it be news to you that as the value of intellectual property rights grows, so do the… Read more

Latest insights

Sustainability on Board

Article / 3 Dec 2021

It all comes down to innovation

Article / 23 Nov 2021