GDPR: The fines are coming – likely by year-end
The EU Privacy chief told Reuters that regulators will start exercising their new powers soon.
The European Union’s General Data Protection Regulation (GDPR) became enforceable back on May 25th. But in the first few months, most Data Protection Authorities – the regulatory organizations overseeing GDPR compliance – have given businesses a pass as they attempt to adjust to the new rules.
That’s all about to change though.
In an interview with Reuters on October 9th, European Data Protection Supervisor Giovanni Buttarelli explained that regulators are ready to begin leveling penalties against companies that run afoul of the GDPR.
“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum,” Buttarelli told Reuters.
What kind of penalties can DPAs enforce?
Before we get into penalties, it’s probably important that we have a quick refresher on the distinction between controllers and processors. Under the GDPR, controllers have more liability as they are considered the owner of the personal data. A processor is a third party that processes that data on behalf of the controller, but is itself not in ownership of the data. Controllers can process. Processors can’t control.
That’s an important distinction because, as we said, controllers face harsher penalties and can even be liable for their processors’ security lapses in some cases. This is why all partners need to operate under a Data Processing Agreement, which outlines the security mechanisms and processes that must be in place.
There are two tiers of penalty:
- Lower tier: 2% of global revenue or €10-million (whichever is greater)
- Higher tier: 4% of global revenue or €20-million (whichever is greater)
For all the folks using US dollars, €20,000,000 is about $23,000,000. Fines can be imposed on any company that does business in Europe. So even if you’re headquartered in Schenectady, NY, you can still find yourself subject to European penalties.
In addition to the fines, Buttarelli also said that there could be bans put in place.
“The fine is relevant for the company and important for the public opinion, for consumer trust. But from an administrative viewpoint, this is just one element of the global enforcement,” Buttarelli said.
So far the DPAs have been bombarded with complaints, France and Italy specifically have reported a 53% increase in reporting since last year.
On to E-Privacy!
Buttarelli himself does not dole out the penalties – that’s the responsibility of the various DPAs representing their respective EU states – what he does is coordinate the work of these privacy agencies.
That gives him a unique vantage from which to comment. He also urged members of the EU and its lawmakers to press forward on overhauling the E-Privacy directive, which could extended telecom privacy rules to tech giants like Microsoft and Google.
“E-privacy is simply indispensable. It is essential, it is a missing piece in the jigsaw of data protection and privacy. It would be really a dereliction of duty if the EU cannot update soon before the (European Parliament) elections its rules on confidentiality of communication,” Buttarelli said. “I think there is a margin of maneuver for sustainable compromise although there are points which cannot be negotiated. For instance the scope of application of e-privacy to over-the-top, beyond the telcos, the tech giants.”
EU Parliamentary elections are next May so a lot of work must still be done on E-Privacy. In the meantime, look for GDPR penalties to start getting handed down by the year’s end.
RELATED: Google and Facebook are Shirking GDPR
As always, leave any comments or questions below…
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: Don’t forget to train your Support Team
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown