GDPR’s potential fines of 20 million EUR or 4% of global annual turnover had organizations across the globe shaking in their boots, but was the fear really warranted? Now that GDPR has been in effect for a full year, let’s take a look at what’s happened thus far.
Who has been issued GDPR fines so far?
One month before GDPR came into effect, a study conducted by the Cloud Security Alliance found that 83% of companies didn’t feel very prepared. One year later we see that many companies had a good reason to feel that way.
According to the European Data Protection Board (EDPB), 9 months after GDPR came into effect, Supervisory Authorities from 11 countries in the European Economic Area had already levied a total of almost 56 million EUR worth of fines.
Here are just a few examples:
German online chat platform “Knuddels” was the first organization to be fined for a GDPR violation. The fine totaled 20,000 EUR and was issued after attackers were able to gain access to 330,000 user passwords stored in plain text. Leniency was shown for the company’s quick response to notify users and remedy the situation. In the months that followed, 40 more companies were issued fines in Germany alone, the highest of which was 80,000 EUR for a case involving medical information that ended up on the internet. Further details on that particular case have not been released.
"20 grand here, 80 grand there... these all sound kind of low, where did the rest of the 56 million come from?"
One of the larger fines included a Portuguese hospital that was fined 400,000 EUR for multiple violations. They included failure to limit access to personal data to only those who needed it, a lack of technical and organizational measures to prevent unlawful access to personal data, and failure to assess risk.
Social media platform Facebook was struck with a 500,000 GBP fine for violating the Data Privacy Act, the UK’s equivalent to GDPR, for data breaches in the Cambridge Analytica scandal. The largest fine of all, which makes up almost 90% of the total fine amount cited in the EDPB report, was a 50 million EUR fine issued to Google for how it uses data for ad-targeting.
In case you missed it, check out our GDPR review from after the half year mark to see how things have progressed:
How big were Google and Facebook's GDPR fines really?
For smaller organizations, even a 10,000 EUR fine could be very painful. For tech giants like Google and Facebook on the other hand, 50 million is pocket change.
To put things in perspective, in 2018, Facebook’s global annual turnover was 55.9 billion USD. 500,000 GBP is equivalent to about 630,000 USD, meaning that fine amounted to 0.0011% of their global annual turnover. That’s virtually nothing. For someone who makes 50 grand a year, that’s the same as being fined 55 cents.
Google’s parent company, Alphabet Inc., makes more than twice as much as Facebook on a yearly basis. Since 2016, Alphabet Inc.’s global annual turnover has consistently been upwards of 100 billion USD. In 2018 it was 136.8 billion. 50 million is 0.037% of that. If you work a full time job you could compare that to having half an hour’s worth of pay docked from your annual salary. That’s not nothing, but it’s still not much. If we compare it to 50 grand a year again, 0.037% of that would be $18.50.
Is GDPR just a paper tiger?
It might seem that way for now, but there are fines looming that may have much bigger teeth than what we've seen so far. Facebook is currently facing a potential 2.2 billion USD fine for insecurely storing users' passwords. Just a few days ago, Ireland's Data Protection Commissioner opened an investigation into the way Google handles personal data for its ads, which is just one of 51 large-scale investigations currently in progress.
As many of the companies that were subject to GDPR, the legislators meant to enforce it were also unprepared and many countries are still understaffed to adequately manage all of the breach notifications and complaints coming in. However, as Supervisory Authorities across the EEA begin to get the swing of things, multimillion and even billion euro fines for GDPR violations could become a regular occurrence.
What's next after GDPR?
GDPR-like laws are appearing in more and more parts of the world. No matter what geography you’re in, sooner or later most companies in the world will be subject to data privacy laws on par with GDPR. GDPR has already inspired similar regulations such as CCPA in the US and LGPD in Brazil. Since CCPA passed, proposals for similar legislation have been made with bipartisan support in many other States and on the federal level. Even industry leaders are suggesting a GDPR-like federal data privacy law in the US, including Apple CEO Tim Cook. For their sake, a federally applicable standard would be much easier to mange than 50 different ones.
As more of these regulations begin to appear, globally operating organizations will have to look towards cross-regulatory compliance strategies in order to more efficiently manage and fulfill overlapping requirements.