Fines for violating the General Data Protection Regulation (GDPR), the central privacy law of the European Union, have soared almost sevenfold in less than a year.
According to law firm DLA Piper, data protection authorities across the EU have handed out fines totalling €1.1 billion for breaches of GDPR rules since January 28, 2021. That's almost seven times more than a year ago when fines totaled €159 million – and the highest amount since GDPR came into force four years ago.
Big Tech companies astronomical fines
Big Tech companies, with astronomical penalties levied against them, are the main contributors to these record numbers. The US online retailer, Amazon, is facing the highest fines after Luxembourg data protection authorities hit them with a whooping €746 million penalty. WhatsApp is next in line with a €225 million fine for inadequate personal data processing practices.
GDPR has certainly been effective in making everyone sit up and listen to data protection law and data protection enforcement.
Next, there are open questions over cross-border data transfers between the EU and the US, which affect the two software giants, Meta and Google. Meta was able to challenge the Irish Data Protection Commission's order that they stop using Standard contractual clauses (SCCs) for cross Atlantic data transfers. This order was later dismissed by Ireland's High Court, so both Meta and Google's analytics service are now under the watchful eye of the European privacy guard dogs.
Ever since GDPR was introduced in 2018, authorities all over Europe are enforcing privacy rights for consumers with greater confidence. The aim is for all EU citizens to have better control over what happens with their personal information. Companies are, therefore, required to show a clear legal basis under which they are collecting and processing users' sensitive data. In case of any breaches, companies must notify authorities about them within 72 hours of the incident. Failure to do so can bring about hefty fines — up to 4% of a company's annual global revenue or €20 million, whichever is higher.
Data transfer disputes
Currently, the biggest challenge facing data protection authorities is to avoid any potential GDPR oversights. They need to ensure compliance with major EU court decisions made back in 2020, including those which limit options for secure transfer of data to the US – the last one currently being a major issue, according to the chair of DLA Piper's U.K. data protection and security group, Ross McKean.
In 2020, the European Court of Justice invalidated the use of Privacy Shield, used as the framework for legal cross Atlantic data until that point. Standard contractual clauses (SCCs) became the most common method for legally processing transfers since then.
SCCs, however, are on "life support", according to McKean. Besides, they leave a lot of space for disputes. A good example is Meta, currently caught up in one such dispute with the Irish Data Protection Commission. In the meantime, officials from the EU and US are still working on a new privacy data agreement to replace Privacy Shield.
Future of EU data protection law
Thanks to advancements in the internet, wearable technology, and AI, data protection laws had to change over the last couple of decades as well. Looking to the future, we can expect further evolution of privacy laws to follow along with anticipated (and even unanticipated) technological innovations.
With new regulations and fines skyrocketing each year, we can likely expect a rise in GDPR appeals, especially with more companies challenging rulings in the last couple of years. It seems many of them have gained the confidence to fight against fines. Companies and organizations no longer hesitate to challenge accusations from data protection authorities. That many of these authorities run on tight budgets, and are often understaffed, certainly makes the prosecution mistake hunt seem a viable endeavor – at least one worth a try, considering the size of the fines otherwise.
Both Amazon and WhatsApp are in the process of appealing their respective penalties. We will follow up with the outcomes of their challenges.