from the exactly-as-the-EU-said-would-happen dept.
Submitted via IRC for Runaway1956
GDPR Fines Haven't Rocked the Data Privacy World
When it launched, Europe's General Data Protection Regulation (GDPR) became bigger than Beyoncé. Since then, some of the hype around the law has waned, but there's still one thing that gets people excited: fines.
Under the law, data-protection regulators across Europe have boosted powers to punish companies and organizations who are found in breach of the GDPR. The most serious consequences can be fines of up to €20 million ($22.4 million) or 4 percent of a firm's global turnover, whichever is greater. These are larger than the £500,000 ($650,000) penalties that could be issued by the UK's regulator, the Information Commissioner's Office, under the old data-protection rules.
Before the GDPR was enforced there were outlandish predictions that businesses would be hit with huge fines for data-protection issues. Some estimates claimed GDPR fines would be 79 times higher than those under previous rules; others said banks would be hit with fines of up to €4.7 billion ($5.3 billion) in the coming years.
Unsurprisingly there hasn't been a deluge of fines running into millions or billions of euros, but the EU's 28 data-protection regulators are slowly beginning to flex their enforcement muscles—including against big tech companies.
After the first year of the GDPR, the European Data Protection Board reported (PDF) that nations had examined 206,326 cases under the law. Helen Dixon, the Irish data-protection regulator who has jurisdiction over US tech companies because of their European headquarters in Ireland, has investigations open into at least 17 multinational firms. These include Facebook and its subsidiaries WhatsApp and Instagram, plus Google and Twitter.
Regulators have already moved against big tech companies and others who have failed to properly protect consumer data. Here's what we know about the GDPR fines that have been issued around Europe so far and why they've been handed out.
[Ed's Note: Under the fair use laws we cannot publish much of the story but the report details a handful of cases where fines have been levied and explains why such action was deemed appropriate in each case. Most companies so far penalised by fines are European, although ongoing investigations exist against business from the US and elsewhere.]
(Score: -1, Flamebait) by Anonymous Coward on Monday November 04 2019, @06:11AM (5 children)
Another Runaway1956 sub? How many of these do I have to wade through before I can get to some real tech news? Asking for a friend.
(Score: 5, Touché) by janrinok on Monday November 04 2019, @06:32AM (3 children)
Well, you could also make some submissions that we can use that cover our areas of interest and comply with the stated guidelines. We welcome submissions from our community members rather than having to resort to using bots to find new stories.
But I wonder what your complaint is regarding submissions by Runaway? The submission contains nothing reflecting the submitter's political leanings or personal views, and it quotes verified and neutral sources. It raises some valid points and highlights that the EU has done what it promised to do: it is trying to educate web sites regarding the safe-keeping of personal data and only fining when other options seem to have been unsuccessful or when the breach of the GDPR is especially serious. Of course, you are free to disagree here in the comments - as is your 'friend'.
At first glance it seems that your objection to the submission is that it is made by Runaway. Are you suggesting that we should reject submissions based solely on the identity of the submitter rather than judging them on their content?
(Score: -1, Offtopic) by Anonymous Coward on Monday November 04 2019, @09:38AM (2 children)
Bloody Brexiteer!
(Score: 2) by janrinok on Monday November 04 2019, @11:42AM (1 child)
Well, seeing that I live in France, I'm not sure what you are claiming...
Is France leaving the EU as well? Have I missed some crucial news?
Or are you wrong?
(Score: -1, Troll) by Anonymous Coward on Monday November 04 2019, @02:45PM
Living on the EU mainland doesn't preclude you from being a Brexiteer. I live in NL and over the past few years, I've become one of the most fervent supporters of Brexit. I blame our politicians for keeping that sorry bunch afloat. We should have cast them off in May so we could watch them bobbing around from a safe distance.
(Score: 1, Funny) by Anonymous Coward on Monday November 04 2019, @08:08AM
It lies. It has no friends.
(Score: 5, Insightful) by zocalo on Monday November 04 2019, @08:42AM
Well, there's your answer. There have actually been plenty of successful smaller prosecutions [itgovernance.co.uk] under the GDPR that haven't really attracted much media coverage because a few €100k is "meh!" compared to whatever some random celeb screwed up over this week. There have also been some fairly major ones that *did* get a lot of media attention; France's CNIL fined Google €50M [www.cnil.fr], while the UK's ICO intends to fine British Airways £183M [ico.org.uk] and Marriott International $99M [ico.org.uk] (both those are still subject to appeal and reduction).
However, if you're going to go after something like a major search/social media company for the full 4% of global annual turnover for some truly egregious breach of the regulations, then - after you've actually identified such an breach - you are going to want to make sure that you have them bang to rights and with limited hope of getting much of a reduction on appeal, or of taking sufficient steps to fix the problem so that you are obliged to reduce the fine considerably. Especially since it costs a lot of money to take on major multinationals because they tend to be capable of readily deploying teams of very good lawyers and funding them for protracted legal fights. That's going to take a good deal of time gather the necessary evidence, put a case together, then run it through the courts while hopefully avoiding an embarassingly expensive defeat for the prosecution. I'm pretty sure the multi-billion Euro fines under the GDPR are coming, but we're just going to need to be patient a little longer while the cases are built.
UNIX? They're not even circumcised! Savages!
(Score: 2) by tangomargarine on Monday November 04 2019, @03:53PM
From what I recall about some of their ridiculous demands, it may actually be easier to just take the 4% hit as a cost of doing business, than reengineer your entire global Internet platform to kowtow to their Right To Force Others To Forget You or whatever they are.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by hwertz on Monday November 04 2019, @05:34PM (1 child)
Well, the outlandish predictions were outlandish. GDPR's goal is to protect people's privacy, not to bankrupt companies. If you read The Register, companies in Europe at least were VERY worried about GDPR as it rolled out, and truly did make changes to improve privacy in order to avoid these fines. 4% of income is enough to make any company sweat.
(Score: 2) by Pino P on Monday November 04 2019, @05:52PM
The harsh part about GDPR is its effect on two groups:
Article 27 of the GDPR [privacy-regulation.eu] effectively requires companies outside the Union that sell into the Union to hire a representative on Union soil. (The biggest exception to this is "processing which is occasional," but Article 27 leaves the word "occasional" undefined.) A small business based in Canada or the United States with, say, $1 million in worldwide annual revenue and $20,000 per year of sales into the Union might not be able to afford $2,700 per year [verasafe.com] for this representative service. So pending case law that defines "occasional," some small businesses have chosen not to sell into the Union. For example, some have removed all EU member states from billing and shipping address validators in order to stay outside the GDPR's territorial scope pursuant to Article 3(2) [privacy-regulation.eu].