While we are still working to shed more light on the invisible cases (more on this likely in next year’s edition of the ET Report), we believe that it is valuable to look at the numerous cases beyond the already well-known record fines/landmark cases. Even if the fines do not reach double- or triple-digit millions, the available information is often helpful for risk management purposes: What were the facts on which the fine was based? How did the case come to the attention of the DPA? What exactly is the accusation of having violated applicable law? Looking into the details of the cases often shows that controllers do not per se carry out unlawful data processing - often the unlawful scope of an otherwise permissible data processing is sanctioned.
As we are aware that such detailed research in the Enforcement Tracker may be burdensome, here are some overall takeaways:
- We already stressed this aspect in last year’s ET Report, but it proves true the longer the more: There is hardly an area of European data protection law (still) shaped more by national laws and official practice than the GDPR fines. The administrative / sanctions law environment as well as position, personnel and equipment, and finally an authority’s self-confidence/understanding of its own role appear to vary significantly between European countries - anything but fully harmonised. Truly understanding the variety of reasons for the “sanction’s gap” will still require more intensive and (different) professional research than our team of law firm privacy professionals can provide. As a starter, we have, however, collected some Enforcement Insights per country (available in the ET Report from end of June 2022).
- Regardless of enforcement variations across countries, GDPR fines continue to be serious and are here to stay. Record fines/landmark cases should not obscure the constant increase in the total number of all cases - DPAs have operationalised fine procedures despite certain remaining legal uncertainties and variations in the application of the law.
- Insufficient legal basis for data processing and insufficient technical and organisational measures as well as non-compliance with general data processing principles are leading the “GDPR fine trigger” list and need to be on the organisational risk management radar. However, especially the “catch-all provision” on general data protection principles in Article 5 GDPR may be difficult to grab, as the general principles cover all compliance requirements further detailed in the other, more specific provisions of the GDPR. The increasing number of Article 5 fines may be the basis for a more detailed analysis in this respect.
- It goes without saying that data subjects matter in data protection law. Even in absence of an official priority of GDPR compliance requirements, it is fair to say that violations of data subject’s rights appear very likely to trigger fines. Insufficient fulfilment of data subject’s rights and of information obligations rank 4th and 5th in the type of violation list. Considering the complexity of dealing with, e.g., data subject’s access requests and transparency obligations, the importance of data subject-facing cases of non-compliance should lead to special emphasis on corresponding internal processes, policies and training.
- Sector exposure is highest in industry and commerce and media, telecoms and broadcasting for the third/second consecutive year. Although the sector cases differ, we make the educated guess that B2C businesses are more likely to be subject to DPA investigations (and eventually to fines): greater “proximity” to data subjects may contribute to this as well as the latter’s willingness to bring (alleged) breaches of law to the attention of a DPA more quickly. Another trigger could be the use of new technologies (= higher likelihood of “risky” processing of consumer data) promoted by constant pressure to innovate in these business sectors.
- Also in this edition of the ET Report, we had to include a reference to the risks of monitoring persons, which is already familiar to our loyal readers. Although the focus of these cases is still on video surveillance (CCTV), the criteria visible there for the use of invasive means of surveillance could also be relevant for other technical innovations. The more risks an innovative technology may pose for the “rights and freedoms of data subjects”, the more appropriate risk management requires a deep dive into the details (and corresponding documentation). For this purposes, it is necessary to perform extensive factual, legal and technical assessment before designing and installing innovative technology. And as always in data protection law: the definition of purposes is the starting point of everything).
- Judicial review of authority decisions is an essential pillar of rule of law principles - and decisions by DPAs (including enforcement notices or fining decisions) are no exception. The more risks are at stake, the higher the probability that an organisation may not - or at least not immediately - accept a DPA decision. In the same way that the number of data protection-related questions referred to the ECJ is on the rise, the judicial review of decisions imposing fines is also likely to increase - which will hopefully lead to an increase in legal certainty in the interpretation of the GDPR. In the meantime, you may wish to jump to the Enforcement Insights per country section to learn more about different procedural details in various jurisdictions – and reach out to your trusted legal advisor to assess your chances if the worst-case scenario of a GDPR fine has materialised.
C. Enforcement Insights per business sector
I. Finance, insurance and consulting
The increase of fines in the finance, insurance and consulting sector (already observed over the last years) has continued, with additional fines ranging in the millions. Strikingly, the highest four fines were all imposed due to a lack of adequate internal compliance measures to ensure a sufficient legal basis for the processing of customer data. In each case, the controllers had failed to obtain effective consent for the data processing.
Therefore, businesses in the finance, insurance and consulting sector should firmly establish and implement comprehensive processes to ensure a clear legal basis for each data processing activity. In particular, they should put in place adequate mechanisms to obtain – in absence of a statutory basis - effective consent from their customers where necessary and to ensure that data is only processed in accordance with this consent. In addition, authorities seem to look more closely at how exactly consent was obtained and whether data subjects were fully informed by the controller.
Moreover, insufficient data security measures resulted in significant fines and might also cause considerable reputational damage. Accordingly, companies operating in the financial and insurance sectors as well as consulting companies should focus on strong data security measures. As digitalisation advances in the finance, insurance and consulting sector and more and more services are provided online or via apps, data security will become even more important. This applies all the more as these companies operate in a highly regulated environment and are therefore subject to strict scrutiny regarding their data security and general IT security, not only by DPAs but also by financial regulators
II. Accommodation and hospitality
The accommodation and hospitality sector includes global players as well as the kebab stand or B&B next door, and recent cases indicate that especially non-compliance with general data protection principles may result in fines even for SME. On a larger scale, DPAs have shown that they are willing to impose 5-, 6- or even 7-figure fines, especially when large amounts of personal data are exposed due to insufficient data security measures (blending into a cross-sector trend and emphasising the importance of data security).
The key causes of fines in the healthcare sector continue to originate from technical and organisational data protection deficiencies and in particular inappropriate setup (or lack of) access restrictions and access management systems. This remained a common issue across many healthcare institutions and without a particular regional focus. However, it is noteworthy that in the past year, the authorities in Sweden and Italy have been particularly active in the field of healthcare.
In addition to technical and organisational measures for prevention of data breaches, it is advisable to also implement measures helping to identify the start, duration and scope of a potential attack in order to be able to adequately inform the authorities and affected data subjects. Lack of such measures for managing the worst-case scenario became subject to a fine in the past year.
The COVID-19 pandemic showed that the existing digital data processing structures were not yet ready to meet newly arising needs. New systems had to be set up rather quickly which led to the use of readily available, but inappropriate tools and lack of further organisational measures.
IV. Industry and commerce
The industry and commerce sector experienced severe fines for non-compliance with general data protection principles and insufficient data security measures. DPAs have shown that they are willing to impose 6 or even 7-figure fines for insufficient technical and organisational measures, especially when large amounts of personal data are exposed to public access. In relation to general data processing principles, DPAs are closely examining the necessity of data processing and the length of storage periods. With some record fine cases in the industry and commerce sector, special attention will be paid to any appeal against / judicial review of DPA fining decisions.
V. Real estate
Businesses in the Real Estate sector frequently perform “high risk” processing activities – ranging from prospective tenant’s ID documents or detailed financial information to the operation of CCTV systems (often by data processors/service providers) to protect property against theft, vandalism and similar inconveniences. The implementation of adequate technical and organisational measures is key, as is a special focus on general processing principles such as data minimisation or storage limitation.
VI. Media, telecoms and broadcasting
VII. Transportation and energy
As an exception to the overall trend of increasing fine numbers, the cases in the transportation and energy sector have decreased compared to recent years. On the other hand, the average fine amount has increased. The latter could be explained by some sort of less cautious attitude of the DPAs, especially in member states where the economic impact of the COVID-19 crisis has turned out to be less severe than initially expected.
Despite fines in the transportation and energy sector being the highest across all sectors by far, they are still comprised of the same criteria: In particular, the amount of data subjects involved and the severity of the single violations, but also the willingness to cooperate with the respective DPA have represented important factors in determining the amount of the fines.
Several DPAs have imposed fines in the transportation and energy sector for the first time since the GDPR came into effect. Some DPAs, in particular the Italian Garante and the Spanish AEPD significantly increased their fines. The majority of DPAs focused specifically on the legal basis and the purposes of the data processing. However, the number of fines for lack of technical and organisational measures was substantially lower in this sector. It could be that the sector has responded well to the close monitoring of this issue by DPAs in recent years.
VIII. Public sector and education
Public authorities have a special position of trust that requires particularly strict compliance with data protection laws and an outstandingly high level of data security. The same applies to schools and other educational establishments, in particular those that process personal data of minors. DPAs appear to have increased scrutiny of the public and education sector since the last ET Report, notably in connection with the use of technology during the Covid-19 pandemic. In 2021, the majority of fines in the public sector have been imposed on educational institutions. Depending on the future impact of COVID-19 management, more related violations may be sanctioned in the coming years. Further, the number of fines in the public sector for violations of data protection law with regard to the processing of sensitive data (e.g. health data), profiling and tracking or surveillance of individuals has increased over recent years. It seems likely that this trend will continue in the future.
IX. Individuals and private associations
If one goes by public perception, the GDPR seems to be aimed primarily at “digital global players”. The analysis of the Individuals and private associations sector, however, paints a slightly different picture: The total fine amount has nearly doubled compared to the last ET Report (with the highest number of fines imposed in Spain (44) and Germany (23).
DPAs tend to treat bigger non-profit organisations (especially sports associations) just like similarly sized businesses. Fines were imposed for various aspects of non-compliance, ranging from insufficient technical and organisational measures to incompliant data subject information. For the smallest-sized controllers – i.e., individual entrepreneurs and private individuals – the DPAs apparently paid close attention to the extent to which the violation was foreseeable by the individual and to the purpose for the processing activity in question. The number of data subjects and the violator’s intention to pursue economic interests with illegal data processing was particularly important.
Blending into an overall trend and emphasising a focus on intrusive processing activities, nearly half of all fines in this sector were related to video surveillance / CCTV, including dashcams in private vehicles. DPAs consider CCTV a particular risky form of processing that even private individuals must meet strict requirements – notably if CCTV is operated in public areas.
We still assume that the protection of employee data will remain key field of activity for DPAs, considering the overall importance of its processing for companies of any size and in any sector. Moreover, employers increasingly rely on evidence based on the processing of personal data in employment court proceedings. On the other hand, employees may be more likely to raise complaints with a DPA, especially in case of conflict situations (including but not limited to cases ultimately brought to employment courts).
In our experience, employers have had to justify their data protection compliance not only to DPAs but also to trade unions and/or works councils in recent years. Employees are increasingly exploiting employers’ uncertainties about data protection to assert other legal positions against employers.
At the same time, cases involving the processing of employee data remain legally complex: The processing of personal data in the employment context is closely linked to the national legal framework governing the employment relationship. The established interpretation of such national employment laws usually influences the permitted extent of employee data processing.
A first analysis of employee data-related fines indicates that employer’s reliance on a statutory legal basis (such as performance of contract) for their data processing may be the best choice. Employee consent remains – due to the assumed structural imbalance between employers and employees - limited to individual, specific cases in which employees have a “real choice”.
We do not resort to witchcraft nor do we have preferential access to GDPR fine information (at least in most cases, but we are still working on that…) when working in the Enforcement Tracker engine room and preparing the Enforcement Tracker Report. In addition to our necessary focus on publicly available fines, there are some other inherent limits to the data behind this whole exercise. Please find some fine print in our more detailed remarks on methodology.
E. What’s next?
The Enforcement Tracker Report and the Enforcement Tracker are a living project. While the fourth edition of the ET Report will be published in one year’s time (around May 2023), we highly appreciate any form of feedback (constructive is liked best…) and want to thank everybody who has reached out to us so far.
We received interesting thoughts, hints to forgotten fines (hidden deeply in remote corners of a supposedly completely captured world), recommendations for additional features (and our bucket list is growing steadily) as well as relevant contributions from stakeholders located outside Europe demonstrating that the data protection landscape is quickly evolving on a global scale and interfaces between national/regional concepts are developing even in absence of a global data protection law. We interacted with peers from the legal profession, privacy professionals with a more advanced tech background as well as researchers from various disciplines.
We strongly encourage you to continue with this interaction. And we apologise in advance if our feedback may take some more time: The data protection world has not calmed down, and this may go on for a while.