News & Events

Data privacy and the GDPR in 2019: what’s on the horizon?

By:  Jen Horn

When the European Union’s General Data Protection Regulation (GDPR) was introduced in May, one of the biggest questions was how the law was going to be enforced. The GDPR, which also applies to any U.S. company that handles the personal data of EU citizen, requires businesses to clearly state when they’re collecting personal data and ask for users’ consent in doing so. Many believe it will have implications for future data privacy rules in the United States as well. So far, it looks like the law is being taken seriously – regulators across the EU have already begun imposing fines.

Article 83 of the GDPR authorized data protection authorities (DPA) in EU member states to impose fines of up to approximately $22 million USD, or 2% of a company’s worldwide revenues, or, for serious violations, up to approximately $45 million USD, or 4% of a company’s worldwide revenues. However, Article 83 also required that fines had to be “effective, proportionate, and dissuasive.” The somewhat vague language left many companies wondering how large, exactly, the fines might be.

Their first example came in September, when the Austrian DPA fined the owner of a gambling shop because a camera at its front entrance also recorded footage of a public sidewalk. Interestingly, the Austrian DPA found this was a violation of the GDPR because it was considered a prohibited monitoring of public space. The fine, however, was approximately $5,000 USD plus legal costs, and the Austrian DPA acknowledged that the fine was meant to be “proportionate” to the violation.

A hospital in Portugal, however, was not quite as lucky. News was released in October that the unnamed hospital received a fine of approximately $455,000 USD for two separate violations. The first involved patient information that was found to be inappropriately available to non-medical staff; the second concerned the confidentiality and integrity of treatment systems. This is one of the highest fines imposed to date, and the hospital has stated it is appealing the penalty.

Most recently, a German chat platform was fined approximately $91,000 USD for a breach of user passwords that occurred in July. User information and passwords were stored in unencrypted plain text, and hackers managed to gain access to more than 800,000 email addresses and more than 1.5 million user names and passwords, some of which were later published on the Internet. Fortunately, the company’s handling of the event appears to have helped reduce the amount of its fine; the DPA report noted the company’s fast communication of the incident to its users, as well as its total cooperation with the DPA.

So what can this tell us about how the GDPR will be enforced? In sum, it appears that the law will be enforced fairly – but broadly. If a DPA is willing to impose a fine, however small, for a camera that captures too much of a public sidewalk, that’s a sign that the EU is serious about improving data privacy and security for consumers. Just as important, though, is that it also appears a company’s quick and comprehensive response to learning about an issue could lessen the amount of its fine.