However, there were many similar fines related to the GDPR before this one. One of the biggest was the
£500,000 fine given to Facebook for the notorious Cambridge Analytica scandal. The fine was the maximum allowed under the old data protection rules that applied before GDPR took effect.
It’s not that just European countries have demonstrated different strategies on penalties, but they have also set up different structures for implementing the regulations. In
Germany, for example, Data Protection Acts (DPAs) are organised on a German state level – but there is also a separate DPA at federal level, with jurisdiction over telecom and postal service companies. The result is that Germany has
17 data protection authorities, instead of just one.
Other problems that have appeared so far include:
- the interpretation of the GDPR’s details, which was done differently by each country in the EU
- different opinions on how to calculate fines
- determining who imposes and collects the fine.
Determining who imposes and collects the fine
One of the best examples of this problem was when France’s Commission nationale de l’informatique et des libertés (CNIL) issued the €50m fine on Google. The company bypassed the GDPR’s one-stop-shop rule that says a company will be fined in the country that hosts its headquarters – in Google’s case, Ireland. The CNIL argued that Google had no main base in the EU in relation to the fine in question, because all decisions concerning the processing of data related to Android and Google accounts were made at the company’s headquarters in the US.
According to Computer Weekly other EU nations have taken a distinct strategy, investing most of their efforts in educating businesses and issuing warnings, instead of the immediate penalties. That is why
the perception of danger was different from one country to another among information controllers.
And these different perceptions result in differences in the number of data breaches. According to DLA Piper, the top three countries in terms of number of data breaches are the Netherlands, Germany, and UK.
The Regulation also brought new data breach notification laws. More precisely, according to DLA Piper: “personal data breaches which are likely to result in a risk of harm to affected individuals must be notified to data regulators. Where the breach is likely to result in a high risk of harm, affected individuals must also be notified.”
Sanctions for not complying with this range from fines of up to €10 million, to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.