GDPR: The fines are coming – likely by year-end
The EU Privacy chief told Reuters that regulators will start exercising their new powers soon.
The European Union’s General Data Protection Regulation (GDPR) became enforceable back on May 25th. But in the first few months, most Data Protection Authorities – the regulatory organizations overseeing GDPR compliance – have given businesses a pass as they attempt to adjust to the new rules.
That’s all about to change though.
In an interview with Reuters on October 9th, European Data Protection Supervisor Giovanni Buttarelli explained that regulators are ready to begin leveling penalties against companies that run afoul of the GDPR.
“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum,” Buttarelli told Reuters.
What kind of penalties can DPAs enforce?
Before we get into penalties, it’s probably important that we have a quick refresher on the distinction between controllers and processors. Under the GDPR, controllers have more liability as they are considered the owner of the personal data. A processor is a third party that processes that data on behalf of the controller, but is itself not in ownership of the data. Controllers can process. Processors can’t control.
That’s an important distinction because, as we said, controllers face harsher penalties and can even be liable for their processors’ security lapses in some cases. This is why all partners need to operate under a Data Processing Agreement, which outlines the security mechanisms and processes that must be in place.
There are two tiers of penalty:
- Lower tier: 2% of global revenue or €10-million (whichever is greater)
- Higher tier: 4% of global revenue or €20-million (whichever is greater)
For all the folks using US dollars, €20,000,000 is about $23,000,000. Fines can be imposed on any company that does business in Europe. So even if you’re headquartered in Schenectady, NY, you can still find yourself subject to European penalties.
In addition to the fines, Buttarelli also said that there could be bans put in place.
“The fine is relevant for the company and important for the public opinion, for consumer trust. But from an administrative viewpoint, this is just one element of the global enforcement,” Buttarelli said.
So far the DPAs have been bombarded with complaints, France and Italy specifically have reported a 53% increase in reporting since last year.
On to E-Privacy!
Buttarelli himself does not dole out the penalties – that’s the responsibility of the various DPAs representing their respective EU states – what he does is coordinate the work of these privacy agencies.
That gives him a unique vantage from which to comment. He also urged members of the EU and its lawmakers to press forward on overhauling the E-Privacy directive, which could extended telecom privacy rules to tech giants like Microsoft and Google.
“E-privacy is simply indispensable. It is essential, it is a missing piece in the jigsaw of data protection and privacy. It would be really a dereliction of duty if the EU cannot update soon before the (European Parliament) elections its rules on confidentiality of communication,” Buttarelli said. “I think there is a margin of maneuver for sustainable compromise although there are points which cannot be negotiated. For instance the scope of application of e-privacy to over-the-top, beyond the telcos, the tech giants.”
EU Parliamentary elections are next May so a lot of work must still be done on E-Privacy. In the meantime, look for GDPR penalties to start getting handed down by the year’s end.
RELATED: Google and Facebook are Shirking GDPR
As always, leave any comments or questions below…
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: Don’t forget to train your Support Team
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown