When the GDPR was already in force, but not yet applicable (and not a single fine had been imposed yet), much attention was paid to the formidable fine framework. For many company officers, this caused fear: if I violate the GDPR, I have one foot in jail (or at least my organisation has to pay EUR 20 million or 4% of its global annual turnover, calculated for the whole group, if the company is part of one).
We believe that facts are better than fear.
The continuously updated list of publicly known GDPR fines in the GDPR Enforcement Tracker is our 24/7 remedy against fear, while the annual Enforcement Tracker Report is our deep dive and permits more insights into the world of GDPR fines.
We are pleased that our analysis for this second edition of the ET Report is based on a larger overall data set of more than 570 fine cases, 526 of which made it into the editorial team's worksheet.
We are even more pleased that more international colleagues supported us this time and provided detailed input on enforcement practice, in particular for EU member states in the new member state interviews (Editor's note: the United Kingdom remains part of the Enforcement Tracker Report and the Enforcement Tracker as the UK General Data Protection Regulation ensures regulatory consistency regardless of Brexit).
Local law and practice matter
After almost three years of GDPR application, we are not the only ones to have learned one thing: despite the GDPR's full harmonisation approach, hardly any other area is shaped more by national laws and official practice than GDPR fines. This may be a reason why Spain still tops the list of countries with the most fines this year.
As we are aware that privacy professionals are unlikely to have a peaceful job in these challenging times, the second edition kicks off with an executive summary for the quick reader (including overall takeaways, in addition to sector-specific observations). Having intentionally opted for an online-only publication, the ET Report's ExecSum is the only part that you can conveniently download (or even print out for bedtime reading without a digital device).
Numbers & figures and sector approach
We have put together an overall summary of the existing fines in the "Numbers and Figures" section, followed by tried-and-tested analysis for the following business sectors:
- Finance, insurance and consulting
- Accommodation and hospitality
- Health care
- Industry and commerce
- Real estate
- Media, telecoms and broadcasting
- Public sector and education
- Transportation and energy
- Individuals and private associations
plus the overarching category
This in-depth analysis permits first conclusions to be drawn as to which business sectors attracted particularly hefty fines. We also analysed the DPAs' reasonings for the fines. These aspects together allow us to provide you with key takeaways for each business sector. Apart from the lawfulness of each data processing operation, bolstering data security should remain in the spotlight for every organisation. There are already relevant indications in terms of data protection litigation – in particular, data subjects' claims for material or immaterial damages under Art. 82 of the GDPR are on the rise. This trend is unlikely to stop, being in particular supported by collective redress mechanisms and legal tech offerings that are already increasing the risks of and resources needed for data protection claims management.
We do not resort to witchcraft nor do we have preferential access to GDPR fine information (at least in most cases, but we are still working on that…) when working in the Enforcement Tracker engine room and preparing the Enforcement Tracker Report. In addition to our necessary focus on publicly available fines, there are some other inherent limits to the data behind this whole exercise. For the "small print", please see our more detailed remarks on methodology. On a more general level, although we have done our best to break down a complex topic into neat pieces, we have resisted the temptation to follow SEO recommendations for the whole content package and would ask you to consider it a "long read" format if you decide to read it in full.
The Enforcement Tracker Report and the Enforcement Tracker are a work in progress. We highly appreciate any form of feedback (preferably constructive…) and would like to thank everybody who has reached out over the last year.
We received interesting ideas, information about forgotten fines (hidden deeply in remote corners of a supposedly completely captured world) and recommendations for additional features (our bucket list is growing steadily), as well as relevant contributions from stakeholders outside the EU – demonstrating that the data protection landscape is evolving rapidly on a global scale and interfaces between national/regional concepts are developing even in the absence of a global data protection law. We have engaged with peers from the legal profession, privacy professionals with a more advanced tech background as well as researchers from various disciplines.
We strongly encourage you to continue engaging with us. And we apologise in advance if our feedback may take some time; the data protection world is not a quiet one right now.
Stay safe – and keep on fighting,
Christian Runte, Michael Kamps, editors and the enforcement tracking and reporting team