This Saturday is the one-year anniversary of the General Data Protection Regulation’s arrival, and so far fines and warnings have been splintered across Europe.
To date, there hasn’t been any significant sign of strict enforcement to date, bar French regulator CNIL’s attempt to fine Google €50 million ($57 million) to Google. That may be a drop in the ocean for Google, but it stacks up when you add it to the €8.2 billion ($9.1 billion) of anti-competitive fines Google has incurred from Brussels
Many ad industry executives believe the true effects of GDPR are yet to come. The trend to be more transparent with users around how businesses use their data online for commercial benefit, is going global. On May 21, judiciary hearings were held in the U.S. to assess whether a federal law should be passed for data privacy.
Witnesses at the hearing included AppNexus founder Brian O’Kelley and privacy browser Brave’s chief policy and industry relations officer Johnny Ryan. Both testified on the need to set controls around businesses’ use of individuals’ personal data online. “We need to establish a consumer data bill of rights to ensure transparency, control, security and portability of data,” said O’Kelley at the hearing. He also called for the closure of anti-trust loopholes that allow Google and Facebook to continue increasing in size and market dominance unchecked.
By January 2019, a total 95,180 complaints had been made To DPAs across Europe, according to the European Commission. Not all of them relate to advertising or media businesses. It’s getting a little confusing as to who has been fined and for what purpose. Here’s a recap on some of the most notable.
Country regulator: DPA Ireland
Open investigations into the following companies:
Google: On May 23, the Irish DPA, the lead regulator assigned to assess Google’s (and Facebook’s) GDPR processes, revealed its first investigation into Google.
Facebook and subsidiaries WhatsApp and Instagram: 11 investigations ongoing
Twitter: three investigations
Apple: two investigations
LinkedIn: one investigation; obtaining emails from 18 million people not already members of the social network, then using them to target those people ads on Facebook.
Quantcast: one investigation into how it aggregates and processes user data for creating profiles.
A number of these inquiries are at an advanced stage and the DPA expects the first decisions to come out this summer. The Irish DPA may be among the smallest in terms of resource with 113 staff (compared with the U.K. regulator the ICO which has 700, for example), but it will play a very important role in all GDPR fines given Facebook and Google have both registered their European headquarters in Ireland. This makes the DPA the lead on these two juggernauts, which are the two most under attack from privacy activists. However, the European Data Protection Board exists to ensure that all DPAs can share resource and are aligned on all judgments.
Fine: £500,000 ($632,000)
Date of fine: July 2018
Violation: The social media platform’s part in the misuse of consumer data in the Cambridge Analytica scandal. The incidents being investigated occurred under the Data Protection Act 1998 for which the maximum fine was £500,000. The ICO plainly stated that had the breaches occurred after the arrival of GDPR on May 25, 2018, the fine would have been far higher.
Company: Parenting site Emma’s Diary
Fine: £140,000 ($177,000)
Date of fine: July 2018
Violation: Collected personal information for the purpose of membership registration through its website and mobile app. Shared approximately 34.4 million records between through 2017 and 2018 with credit reference and marketing agencies, including Acxiom, Equifax, Indicia and Sky, for online direct marketing purposes.
Company: Parenting site Bounty
Fine: £400,000 ($506,000)
Date of fine: April 2019
Violation: Careless data sharing of sensitive information on pregnant women with third-party companies in order to send online direct-marketing messages.
Country regulator: France CNIL
Fine: €50 million ($57 million)
Date of fine: Jan. 2019
Violation: For making it difficult for users to see the detail on why and how they should give consent in order to be sent personalized ads, and for providing a pre-ticked option when requesting consent.
Company: Mobile ad tech vendor Vectaury
Warning: Ordered to expunge all data and change business practices.
Violation: Misuse of location data.
The company made the changes, and CNIL removed the probe after determining the changes were satisfactory.
Country regulator: competition authority Bundeskartellamt, Germany
Fine: Facebook can no longer combine user data from separate apps like WhatsApp and Instagram without those users’ explicit consent.
Date of ruling: Feb. 2019
Violation: This is Germany’s anti-trust watchdog, not its privacy authority. However, the ruling is related and significant because it seeks to restrict how Facebook processes user data across its products, without their knowledge or consent.
Country regulator: German DPA LfDI
Company: Social media company Knuddels.de
Fine: €20,000 ($22,000)
Date of ruling: Nov. 2018
Violation: The company reported a hacking attack which resulted in the unauthorized disclosure of 808,000 users’ email addresses and passwords. Although this fine is small potatoes, that is because the company contacted the LfDI directly after the hack and also informed its users, which was taken into account. Germany has multiple DPAs which represent different federal states and have issued 41 fines in total between them.
Country regulator: Poland DPA
Company: Digital marketing business Bisnode
Fine: €220,000 ($246,000) Estimated cost of rectifying the violation: €8 million ($9 million.)
Date of ruling: March 2019
Violation: Accused of scraping and processing personal data and ordered to contact the some 6 million people whose data it allegedly did not have consent to use. The company chose to delete the records rather than shell the millions it predicted it would cost to contact all users.
Country regulator: Denmark DPA
Company: Taxi firm Taxa
Fine: €161,000 ($180,000) 2.8% of company’s annual turnover
Date of ruling: April 2018
Violation: Retaining users’ phone numbers for three years after attaining them. Prior to GDPR, a fine of this kind in Denmark would not have exceeded €3,350 ($3,900.) The ruling was that the company did not have grounds for legitimate interest.