The EU Privacy chief told Reuters that regulators will start exercising their new powers soon.
The European Union’s General Data Protection Regulation (GDPR) became enforceable back on May 25th. But in the first few months, most Data Protection Authorities – the regulatory organizations overseeing GDPR compliance – have given businesses a pass as they attempt to adjust to the new rules.
That’s all about to change though.
In an interview with Reuters on October 9th, European Data Protection Supervisor Giovanni Buttarelli explained that regulators are ready to begin leveling penalties against companies that run afoul of the GDPR.
“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum,” Buttarelli told Reuters.
What kind of penalties can DPAs enforce?
Before we get into penalties, it’s probably important that we have a quick refresher on the distinction between controllers and processors. Under the GDPR, controllers have more liability as they are considered the owner of the personal data. A processor is a third party that processes that data on behalf of the controller, but is itself not in ownership of the data. Controllers can process. Processors can’t control.
That’s an important distinction because, as we said, controllers face harsher penalties and can even be liable for their processors’ security lapses in some cases. This is why all partners need to operate under a Data Processing Agreement, which outlines the security mechanisms and processes that must be in place.
There are two tiers of penalty:
- Lower tier: 2% of global revenue or €10-million (whichever is greater)
- Higher tier: 4% of global revenue or €20-million (whichever is greater)
For all the folks using US dollars, €20,000,000 is about $23,000,000. Fines can be imposed on any company that does business in Europe. So even if you’re headquartered in Schenectady, NY, you can still find yourself subject to European penalties.
In addition to the fines, Buttarelli also said that there could be bans put in place.
“The fine is relevant for the company and important for the public opinion, for consumer trust. But from an administrative viewpoint, this is just one element of the global enforcement,” Buttarelli said.
So far the DPAs have been bombarded with complaints, France and Italy specifically have reported a 53% increase in reporting since last year.
On to E-Privacy!
Buttarelli himself does not dole out the penalties – that’s the responsibility of the various DPAs representing their respective EU states – what he does is coordinate the work of these privacy agencies.
That gives him a unique vantage from which to comment. He also urged members of the EU and its lawmakers to press forward on overhauling the E-Privacy directive, which could extended telecom privacy rules to tech giants like Microsoft and Google.
“E-privacy is simply indispensable. It is essential, it is a missing piece in the jigsaw of data protection and privacy. It would be really a dereliction of duty if the EU cannot update soon before the (European Parliament) elections its rules on confidentiality of communication,” Buttarelli said. “I think there is a margin of maneuver for sustainable compromise although there are points which cannot be negotiated. For instance the scope of application of e-privacy to over-the-top, beyond the telcos, the tech giants.”
EU Parliamentary elections are next May so a lot of work must still be done on E-Privacy. In the meantime, look for GDPR penalties to start getting handed down by the year’s end.
As always, leave any comments or questions below…
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: Don’t forget to train your Support Team
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach