GDPR: Has disaster been avoided or is this the calm before the storm?
Can you think back to the end of May 2018? Companies were busy flooding their customer's inboxes with emotional appeals or legal notices looking for their consent to data processing. It was shortly before the GDPR came into force and companies and organizations of all kinds were doing everything imaginable to fend off potentially ruinous litigation or so you might have thought. News reports reached levels of hysteria not seen since the year 2000. Some even suggested that bell pushes might have names removed in apartment buildings to meet privacy requirements. But the end of the month came quickly, the deadline passed and now even 12 months have gone by without any reports of disbanded corporations and rabbit breeders' associations driven to ruin. So was it all a lot of fuss about nothing?
Not quite. Much of the GDPR hysteria came from misunderstood or completely misinterpreted interpretations of the actual requirements. It's easy to forget that some national legislation such as the German Federal Data Protection Act (BDSG), which was already in force before, was already even stricter than the EU-wide GDPR. In fact, German companies would not have had that much to worry about with the GDPR if they had followed national data protection legislation to the letter, which very few did. Just a reminder: The GDPR is not feared because of its strict requirements but the serious fines that may be incurred (up to 4% of annual turnover). And because data protection authorities can impose fines directly and, unlike in the past, they no longer have to file a lawsuit.
So what happened in the first 12 months of the GDPR? In a nutshell: Not so much. So far, 81 violations have been recorded in Germany, with accumulated fines of almost 500,000 euros. You can't really call that catastrophic. When British Airways was hacked in September 2018, many thought that the authorities would use the opportunity to set an example. After all, the UK still belongs to the EU. But so far absolutely nothing has happened. In other countries, at least some form of action has been taken. The biggest fine to date hit Google in France: 50 million euros. Google was accused by the French data protection authority of obscuring essential privacy information across multiple documents and making it difficult or impossible for users to find. The outcome of the case is still uncertain, as Google can appeal against the decision. The penalty for a Polish data trader was somewhat lower but still noticeable. The data protection authority UODO imposed a fine of around 220,000 euros on Bisnode AB as the company had failed to comply with its information obligations. It became clear during the procedure that those responsible had acted intentionally and had knowingly not informed data subjects about the use of their personal data.
Germany imposed its first GDPR fine in November 2018. In September the Knuddels.de website reported a data breach of 1.87 million user names and passwords and 800,000 e-mail addresses of users. The state data protection authority of Baden-Württemberg found that the website had stored the passwords in plain text, which violated the GDPR regulations on pseudonymization and encryption of personal data. As the website operator informed user quickly and transparently they got off lightly with a 20,000 euro fine.
There have been a handful more offenses in the last 12 months but nothing to warrant a major sensation. Data protection authorities could be taking their time to test the water getting used to practical tests of the new legislation and they may be taking a light approach as an informal grace period. The next 12 months will show whether there will be more severe sanctions. There is still a great deal of catching up to do in implementation data protection measures, even though the overall situation has improved significantly. The first legal decisions at least show that the authorities seem to be distinguishing between commercial and intentional infringements by companies and unintentional mistakes by non-profit organizations, even if the GDPR does not actually do so. It will certainly be interesting to see how everything pans out and if a storm breaks but at least up until now calm and cautious has prevailed.