PRIVACY

By Dubhe Sarmiento Felix

December 19, 2020

Fernando Ron Pedrique

In recent years technology has changed the way companies do business and trade internationally. It has increased the volume of data transmitted locally and across borders and personal data has become a crucial tool for businesses and economies, becoming a tradable asset to improve competition. In consequence, as personal information flows within a nation and around the globe more easily, it is harder for individuals to have control over their personal data, to keep their privacy intact. Now it is more common for businesses to suffer data breaches and cyber-attacks. That is why the GDPR was introduced to enhance data protection by giving control to individuals over their personal data and regulating how entities can process personal data.

Enforcement approaches and trends - inconsistency

Since its implementation in 2018, Data Protection Authorities (‘DPAs’) have made use of their enforcement powers, such as warnings, administrative fines and processing limitations. In order to assure that the main purposes of the Regulation are fulfilled across the EU, giving individuals control over their personal data and avoiding its abuse. Since 2019, DPAs greatly increased their coercive activities, issuing around 386 fines with a total amount of €245,355,706. This can be considered as a positive growth of GDPR enforcement. However, the severity and level of fines vary across the EU, for example:

• Google Inc. has received the highest fine of all, totalling €50 million imposed by the French Data Protection Authority ('CNIL'). While a police officer has received the lowest fine, totalling €48 imposed by the Estonian Data Protection Authority.
• Even though Germany and France have imposed a similar sum of fines around €52,000,000, Germany has levied 27 fines, while France only 6.
• Even though Spain has been the most active DPA, regarding the levying of fines, imposing a total of 147 fines, they have been relatively low fines compared with other EU jurisdictions. For example, Telefónica Móviles España was fined €55,000 for processing personal data to activate telephone lines that the data subject had not requested.
• Malta has been one of the less active DPAs. Surprisingly it has only imposed one fine so far of €5,000 against the Lands Authority. The Authority did not have in place adequate security measures on its website, which led to a data breach. Personal data, including sensitive data, was publicly accessible on the internet by a simple google search.

These figures exhibit that DPAs across the EU have taken different enforcement approaches and trends. Which places organisations and individuals in a vulnerable position, as they lack clarity on how severe an unlawful action is, and which practices are acceptable are which aren’t. For instance, in Spain, a property owner was fined €1,000 for unlawfully monitoring public areas using a CCTV camera. While in Greece the exact same violation resulted in a fine of €8,000.

These different enforcement approaches and trends are incompatible with the aim of the GDPR being a regulation. Which is for it to be interpreted and enforced homogeneously within the EU and by the DPAs. A regulation, in contracts with a directive, is binding and directly applicable throughout the EU. It becomes part of national laws without the need to be implemented into national law, in other words without the need for member states to promulgate a new law.

Why is there an enforcement inconsistency?

Unfortunately, one of the main reasons why the enforcement of the GDPR has been inconsistent is the lack of budget and resources. As Věra Jourová, Vice-President of the European Commission for Values and Transparency, and Didier Reynders, the EU Commissioner for Justice said “The national data protection authorities, as the competent authorities to enforce data protection rules, have often not yet reached their full capacities. We therefore call upon Member States to equip their data protection authorities with the adequate human, financial and technical resources to make effective use of their enforcement powers.”

From the individual replies from the data protection supervisory authorities it is noted that from 2018 to 2019, human and financial resources provided to DPAs have barely increased. Almost half of DPAs have budgets of under €5 million. There are 30 DPAs in Europe, only 9 of them reply they are satisfied with their allocated resources.

This highlights the importance of DPAs having appropriate resources and power of enforcement, so they can be in the possibility to cooperate with each other and avoid contradicting sanctions across the EU. This will bring legal certainty to individuals. They would know that if their personal data is being processed in more than one jurisdiction it will be protected in the same way all across Europe. Also, if their personal data is misused, they would have the certainty that the party responsible will be adequately sanctioned regardless of where it is based.

Enforcement future

That being said, it is obvious that the harmonisation and standardisation of GDPR enforcement is an ongoing process. As the Regulation has been applicable for only two years, there is hope to see greater progress in the following years, since it is expected that DPAs will impose more fines and there would be more civil actions. The future development of case law will hopefully bring clarity and uniformity regarding interpretation, good practices, sanctions, and enforcement across the EU. It is also expected that as DPA’s decisions are appealed, the enforcement will become more aligned within the EU. In order to achieve this greater harmonisation and standardisation of GDPR enforcement, the DPAs should be provided with the appropriate human and financial resources to be able to improve the quality of enforcement and the cooperation between DPAs.