GDPR: Are the fines real?
Under the General Data Protection Regulations (GDPR), organisations may be fined up to €20 million, or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In January 2019, the French Data Protection Authority fined Google €50 million for GDPR violations. When the European Union’s GDPR went into effect in May 2018, many organizations feared heavy fines based on GDPR violations. Big headlines such as the fine issued against Google reinforced this perception. While the potential for large fines is real, organizations may find it helpful to understand the context of the current fines issued based on GDPR violations, and how that may or may or may not relate to them.
Who are filing the complaints?
Most actions are initiated by complaints filed with data protection authorities, not random data protection inspections by government agencies. Two of the leading data protection advocacy organizations are None of Your Business (NOYB) and La Quadrature Du Net. These are the organizations that filed the initial complaint that resulted in the Google fine. Almost immediately after the GDPR went into effect, NOYB and La Quadrature Du Net filed complaints against Apple, Facebook, Google, Instagram, LinkedIn and WhatsApp. Currently, NOYB is targeting streaming companies like Netflix, Spotify and YouTube
Other sources of complaints are data subject access requests (DSARs). Under the GDPR, people (“subjects”) can contact organizations and require the organization to confirm they retain personal data on that subject and provide a copy of the personal data they retain. Organizations have 30 days to respond to these requests. When an organization fails to respond, the subject can file a complaint with their national protection authority. Enough of these complaints will trigger an investigation.
Read the full report above