The European Union’s data privacy regulation went into effect back in May, but the large fines have yet to materialize, leaving unsettled the question of whether GDPR will actually impact how enterprises handle consumer information.
One of the ways the EU General Data Protection Regulation (GDPR) was different from previous regulations was the the fact that it had teeth—fines could be set as high as 4 percent of the company’s global annual revenues.
However, it is up to the regulators to actually apply those hefty fines if organizations do not safeguarding consumer data. If those penalties don’t materialize, that removes the pressure to comply for organizations balancing business risk and the price tag for updating their systems and processes. They may be willing to take their chances with the regulators and not make any costly or time-consuming changes.
“They [organizations] can spend millions of dollars to fix a problem, or pay tens—maybe, hundreds—of thousands in fines,” said Matt Radolec, a security architect manager at Varonis Systems. “[They’re] going to take the fine.”
Carrots Over Sticks
For organizations to make lasting changes in data privacy, “it has to be more risky to ignore GDPR,” Radolec said.
If it becomes too expensive to try to “absorb the fines,” organizations would prioritize addressing existing issues and not adding new features that would run afoul of the rules, he said.Right now, there is nothing scary about paying tens of thousands of dollars in fines.
Germany’s regional data protection watchdog, Baden-Württemberg (LfDI Baden-Württemberg), recently fined social media platform Knuddels.de(statement in German) a mere €20,000 ($22,700) after 1.87 million username/password combinations and 800,000 email addresses were dumped on text-sharing sites Mega.nz and Pastebin. The maximum potential fine could have been as high as €20 million, especially since the company had “knowingly violated its duty to ensure data security” by storing passwords in plaintext. Instead, the data protection authority decided on a small fine, praising the company for its “exemplary transparency,” for cooperating with the investigation, and for implementing new protective measures.
“The company implemented extensive measures to improve its IT security architecture within a few weeks, bringing its users' data up to date. In addition, the company will implement additional measures to further improve data security in the coming weeks in coordination with LfDI,” Baden-Württemberg said in a statement.
Enterprises scrambled earlier this year to meet the GDPR deadline in May, and many security experts were hopeful that the focus on data privacy would translate to improved policies around data collection, retention, and management. Since then, regulators from France, Germany, and the United Kingdom have applied dozens of fines to companies for pre-GDPR violations, but it’s still early days for GDPR enforcement. Dutch regulators have carried out inspections across different sectors, but most penalties have still been modest, such as the €48,000 imposed on bank for not providing customers with a copy of the personal data it processed in a timely manner. The fact that fines haven’t been that high seems to be intentional.
"The LfDI is not interested in entering into a competition for the highest possible fines. In the end, it's about improving privacy and data security for the users," the German regulator said.
Even the United Kingdom’s Information Commissioner’s Office (ICO) said as much when GDPR was originally being crafted. “This law is not about fines. It’s about putting the consumer and citizen first,” wrote Elizabeth Denham, the UK’s information commissioner. “Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.”
While GDPR gave the ICO the ability to impose fines greater than the £500,000 ($633,000) maximum allowed under the previous rules, Denham said it would be “scaremongering” to suggest that large fines will be common, or that companies will be punished heavily to show other companies why they need to do better. The ICO has plenty of other tools at its disposal—warnings, reprimands, and corrective orders—and under GDPR, the agency will continue to rely on those methods rather than “the sledgehammer in our toolbox” [heavy fines] to get companies to comply, Denham said.
“Issuing fines has always been, and will continue to be, a last resort,” Denham wrote.
Most GDPR actions to-date have been breach related and not the result of proactive audits by regulators or complaints filed by privacy activists. Regulators are aware that the general public is more aware of data breaches and that consumers are paying attention to what kind of consequences organizations face for not taking care of the data. The European Union’s data protection supervisor, Giovanni Buttarelli, recently said the first GDPR enforcement actions were on the way.
“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum,” Buttarelli told Reuters in an interview.
These enforcement actions will “test the waters” for the public’s appetite for regulation, Radolec said.
Perhaps the real test of GDPR is waiting somewhere in the list of complaints already filed against well-known companies, including Google, Microsoft, and Facebook. No one really knows where those cases will wind up, or what form enforcement would take. One case to watch would be the set of complaints against Google’s location tracking feature recently filed with the data protection agencies in seven European countries—Czech Republic, Greece, the Netherlands, Norway, Poland, Slovenia, and Sweden. The complaints claimed Google does not make it clear that the only way to fully prevent the GPS from tracking user location on Android is to disable both “Web and App activity” and “Location History.” At the moment, Google can track the user’s location if the “Web and App activity” option is still enabled (it’s on by default), even if “Location History” has been turned off.
“These practices are not compliant with the General Data Protection Regulation (GDPR), as Google lacks a valid legal ground for processing the data in question. In particular, the report shows that users’ consent provided under these circumstances is not freely given,” the lobbying group European Consumer Organisation (BEUC) said on the behalf of the countries’ consumer groups. BEUC said users don’t have a real choice whether or not to disable location tracking.
The big question for GDPR isn’t just what kind of fines—or enforcement—that will be set. It’s also how the different countries will handle the complaints. The way the law is currently set up, the complaints are filed to the individual country’s national data protection authority and it is up to the laws of each country on how strict it will be enforcing GDPR. There isn’t a pan-European entity to handle the regulation or to coordinate enforcement actions across borders. Some countries are just beginning to pass their data protection laws that match GDPR requirements.
There may be no consistency in what kind of penalties or enforcement actions will be set.
Whether or not organizations invest in security—or even, how much—has more to do with competing obligations and limited resources and less on how much they care. Incentives and penalties can help tip the decision-making in favor of security. But right now, it’s not clear if companies will just “ask for forgiveness” after the fact, or if they would use the prospect of high fines as the inventive to change how they handle user data.
UK ICO Denham said GDPR’s maximum fines underscores the law’s importance. “Heavy fines for serious breaches reflect just how important personal data is in a 21st Century world.”
But the law will become just another checkbox if the consequences of not protecting the data—the fines—are not high enough.