Quo vadis, GDPR enforcement? Tide is turning and it could affect your business

Posted on

28 Jun

2021

Dittmar & Indrenius > Insight > Quo vadis, GDPR enforcement? Tide is turning and it could affect your business

Just before the summer, around EU’s General Data Protection Regulation’s (“GDPR”) birthday, it is usually a time to reflect at the past year and assess the functionality of the GDPR. Now that our beloved regulation has been applicable law for over 3 years, the discussion has shifted from the general interpretation and functionality of data protection obligations to efficient and harmonised enforcement of the GDPR across the EU. How are the data protection authorities handling the current situation?

At the time of the GDPR’s entry into force, much was made of article 83 of the regulation which empowers data protection authorities to impose administrative fines. Multiple businesses providing GDPR-related advisory services used this heavily as a selling point. So far, we have not (yet) seen any fines come even close to 4% of a company’s annual turnover – the maximum amount permitted in the GDPR’s enforcement provisions. However, we have seen that the supervision and enforcement practices of data protection authorities differ among themselves considerably, and that there is increasing pressure on the national authorities to get visible results and more robust supervisory mechanisms in place.

The European Court of Justice’s (ECJ) judgement of 15 June 2021 in case C-645/19 Facebook Ireland & Others highlighted this push for more efficient enforcement by establishing a national authority’s right to take a company to court in their own country – even when not the Lead Authority in the meaning of the GDPR’s One-Stop-Shop rule.

A comparison of the decision-making practices of different EU Member States’ data protection authorities reveals that there are significant inconsistencies among the enforcement practices of different national data protection authorities. There is substantial variation in the amounts and even in the legal basis of the sanctions. For example, the four fines issued in the UK come to a total of about 44 million euros, whereas the 79 fines imposed in Italy are altogether about 76 million euros.

The consistency mechanism also has its hiccups

When a company is established or the data processing takes place in more than one member state, the competent data protection authority will be wherever the group of companies is headquartered. This so-called One-Stop-Shop mechanism is one of the GDPR’s safeguards to ensure that supervisory authorities cooperate with each other. The supervisory authority’s unwillingness to take measures against a company or a mere lack of resources will result in an unstable practice and might cause a distorted competitive landscape. The uneven application of the GDPR’s enforcement mechanism can have a substantial impact on multinational companies, as there can be differences in the actions of supervisory authorities when interpreting the mechanism.

This raises the question of the GDPR’s functionality. This challenge to the One-Stop-Shop has also been noticed in practice and, in response, also in case law. The ECJ’s recent judgement mentioned above softens the interpretation of the One-Stop-Shop mechanism and extends the powers of data protection authorities in relation to multinational companies and cross-border cases. This ruling will preserve the effectiveness of national supervisory authorities’ cooperation and most likely increase the number of cases raised by authorities. A coherent enforcement ecosystem with consistent application is crucial for the protection of natural persons with regard to the processing of personal data and for the free movement of data and capital in the EU. Secondly, the unpredictability of the current operating environment hampers companies and other entities in pursuing GDPR compliance.

One could perhaps compare the current regulatory situation with the nuclear energy business

The way forward

Some critics have claimed that the supervision and cooperation is so unpredictable that some articles of the GDPR already need to be redrafted. Clearly, fully functional cooperation and an enforcement mechanism cannot be created overnight or merely by redrafting a few articles. But the European Commission is working to get the current regulatory framework to function at its fullest, and this combined with the ECJ’s recent judgement will – according to our estimate – lead to a significant increase in enforcement actions in Finland.

One could perhaps compare the current regulatory situation with the nuclear energy business:  the possible consequences of realised risks are impossible to predict, and if these risks materialise, they will translate into high sanctions and other costs. Nonetheless, here is what we can say about enforcement practices: both the sums and quantities of administrative fines have risen during the past 3 years, and the data protection authorities are slowly but surely finding their foothold and becoming more diligent at fully enforcing the GDPR.

More by the same author

Welcoming the new year – and a new mechanism for EU-U.S. data transfers?

In October 2022, President Joe Biden’s administration published an executive order regarding a new EU-U.S. Data Privacy Framework, i.e. the replacement of the so-called Privacy Shield mechanism previously allowing transfers of personal data from the EU to the U.S. The executive order immediately sparked the European Commission’s process to assess the new U.S. regime and prepare a respective adequacy decision, which would bring considerable certainty and clarity to trans-Atlantic data flows. In essence, it was a beacon of hope for European organisations having struggled with U.S. data transfers, for example in connection with various established cloud services, ever since the prior Privacy Shield mechanism was invalidated by the Schrems II judgement in July 2020.

Successor framework for Privacy Shield has been revealed bringing long-awaited hope for EU-U.S. data transfers

On Friday 7 October, President Joe Biden’s administration published an executive order regarding a new EU-U.S. Data Privacy Framework, i.e. the replacement of the so-called Privacy Shield mechanism previously allowing transfers of personal data from the EU to the U.S. Although the executive order, in itself, does not legitimise trans-Atlantic data flows, it is a beacon of hope for European organisations having struggled with U.S. data transfers since the Schrems II judgement in July 2020.

New finesses for fines in GDPR enforcement

The EU’s General Data Protection Regulation (GDPR) became applicable four years ago. Both the number and amounts of administrative fines imposed by the supervisory authorities of EU Member States have been steadily increasing during these years. The biggest fines have reached tens and even hundreds of millions of euros. But have they been proportionate and harmonised, and how has the European Data Protection Board (EDPB), monitoring the consistent application of the GDPR, sought to ensure this?

Latest insights

Busy times ahead – Review of Finnish merger control in 2022

Alert / 24 Jan 2023
Reading time 6 minutes

D&I Transaction Powerhouse Deal Announcement

Alert / 19 Jan 2023
Reading time 2 minutes