3 Years Later: An Analysis of GDPR Enforcement

By Ilse Heine
The European Union’s General Data Protection Regulation (GDPR) was adopted in 2016 and officially launched in May 2018 to govern the use of personal data by both EU and non-EU companies who collect, process, and store the data of EU citizens. For many in the EU, the adoption of the GDPR was considered a historic moment. At the time of its launch, former VP of the European Commission, Viviane Reding, noted that the “reform will restore trust in digital services today, thereby reigniting the engine for the growth of tomorrow.”

Despite being lauded as one of the EU’s greatest achievements, stakeholders expressed skepticism about its implementation. Among businesses, there was confusion about compliance, given the ambiguity of the law, as well as heightened fear of the associated costs. In 2018, a PwC survey found that companies forecasted spending in excess of €1.3 million on GDPR readiness initiatives. Even now, concerns persist about the negative consequences of the law on business growth and innovation.

To comply with GDPR, companies must adhere to several rules, including robust consent requirements, privacy by design, and mandatory breach notifications. The law extends several rights to users to access and control their data, including data portability and the ‘right to be forgotten.’ Each Member State must appoint a Data Protection Authority (DPA) (multiple in the case of federal structures, like Germany) who is responsible for monitoring and enforcing the law. Three years later, even though challenges remain for a more effective implementation, GDPR enforcement has led to improved security practices.

GDPR Fines
Organizations in breach of the GDPR can be fined up to 4 percent of annual turnover, or up to €20 million, whichever is largest. Since coming into force, a total of 839 fines have been issued. While only a mere 16 fines were issued in 2018—and only one was at least €100,000—~302 and ~266 were issued in 2020 and 2021 respectively. The highest fines were issued in 2020, including Google (€50 mil), H&M (€35.3 mil), and Telecom Italia (€27.8 mil) in the EU, and the Marriott International Hotels (€18.4 mil) and British Airways (€20 mil) in the UK. Swedish clothing retailer, H&M had been monitoring and collecting personal information about its employees without proper consent and using this data to build employee profiles and inform employment decisions. In addition to paying the fine, the company adopted several remedial measures, including appointing a new Data Protection Coordinator and presenting a plan to the DPA on how data protection will be implemented in the future. The company also intends to pay compensation to the affected employees.

There are many other examples where GDPR fines have led to positive changes in company policies. According to one GDPR tracker, around 100 fines were issued, alongside corrective measures, because of “insufficient technical and organizational measures to ensure information security.” By comparison, the total number of fines for not sufficiently fulfilling the data breach notification obligation is only around 20, with the highest fine imposed on Booking.com B.V. for €475,000. That said, the number of breach notifications per day has  increased compared to last year.

In general, several Member States have been more proactive in issuing fines. Spain leads in total number of fines with 277 (212 of which were issued in 2021), followed by Italy (88), Romania (62), Hungary (44), and Germany (32). As for total fine amount, Italy leads at €84 million, followed by France (€57 mil), Germany (€49 mil), the UK (€44 mil), and Spain (€32 mil). Luxembourg recently joined these ranks, issuing the largest fine to date on Amazon (€746 mil), which the company plans to appeal. This flurry of activity stands in stark contrast to that of Ireland’s Data Protection Commission (DPC), which has been criticized for being too slow to fine the companies that fall under its jurisdiction.

Ongoing Challenges
The GDPR’s consistency mechanism (coined ‘one-stop shop’) requires that the supervisory authority in the Member State where a company has declared its main establishment take the lead on all privacy related matters. Major tech giants, including Facebook, Twitter, Google, and Apple have declared Ireland their main establishment, making the DPC the lead authority. However, the DPC has been constrained by insufficient resources and staffing, leading to a significant backlog of cases. To date, its only major fines have been issued against Twitter at €450,000 – a small number given the size of Twitter’s revenue, and WhatsApp at €225 million The DPC has argued that they need to take more time with the larger tech companies, given their complexity and size of the potential fines. However, this argument has rung flat among other European regulators. In fact, MEPs voted in May for a resolution which would open an infringement procedure against Ireland for failing to enforce the GDPR.

A ruling by the European Court of Justice (CJEU) also complicated the effective use of the consistency mechanism. In general, the ‘one-stop shop’ mechanism continues to be considered a point of contention among DPAs. Hamburg Commissioner for Data Protection, Johannes Caspar claims that it has resulted in lengthy delays and breakdowns in communication. Despite these criticisms, the European Data Protection Board, which promotes cooperation between the DPAs, has reaffirmed the mechanism and stated that there have been 254 final decisions where it was successfully used. 

Another hurdle for regulators is the disparity between their resources and those of companies. While regulators have limited resources, companies, particularly large ones, have a lot more revenue and manpower at their disposal. As such, companies are learning that they can use their resources to identify weak points in the legal procedures, and launch appeals to lower their fines. In March, the Wall Street Journal reported that 15 appeals had been lodged for fine reductions in the previous six months. In one such case, the Berlin Court overruled a fine issued to Deutsche Wohnen, because they didn’t identify a specific employee who was responsible for the violation. On the other hand, there are also instances where appeals were overturned, as in the case of CNIL vs. Google.

Looking Ahead
The GDPR is still in its early phase, but many countries will continue to monitor its progress as they consider how to craft and effectively enforce their own data protection laws. Australia, Japan, South Korea, Brazil, and China have already modeled their privacy legislation on the GDPR, albeit with context-specific modifications. As short as three years are in regulatory terms, they have a lot to teach regulators and policymakers about where this type of law excels, as well as its potential hurdles and areas for improvement. GDPR enforcement is gradually improving companies’ security practices and protecting people’s privacy, but regulators also struggle with regional consistency and matching their resources to the growing number of requests. It will likely take several years before there is harmonization and a standard baseline in the region.

Ilse Heine is a former research intern with the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, DC.

The Strategic Technologies Blog is produced by the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).