Early GDPR Penalties: Analysis of Implementation and Fines Through May 2020

ABSTRACT

The General Data Protection Regulation (GDPR), which went into effect in May 2018, enabled European Data Protection Authorities (DPAs) to fine companies up to 4 percent of their annual revenue in the event that they were found in violation of the regulation's requirements for data collection, processing, and use. But the regulation gave DPAs considerable leeway to determine how they would implement these penalties. This article analyzes 261 publicly available GDPR enforcement orders issued by DPAs during the first 24 months of the GDPR implementation. The findings show that most GDPR fines levied so far have been relatively small, many of them within the thresholds set by earlier laws prior to the GDPR. Additionally, only half of the GDPR articles for which penalties are designated have actually resulted in public enforcement actions, and those fines that have been levied focus primarily on violations of five particular articles, four of which pertain primarily to user privacy protections. However, despite the fact that most of the fines issued under the GDPR have been in response to privacy violations, the largest fines have been triggered by security incidents, and, on average, security violations still receive larger fines than privacy violations.

On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) went into effect, granting the 28 member states unprecedented legal powers to fine companies that failed to comply with the fairly extensive and in many ways ambiguous requirements the law imposed on the collection, processing, and use of personal information. In the two years that followed the implementation of GDPR, states exercised those powers in very different ways, particularly with regard to how much they fined companies found in violation of the regulation and which articles of the regulation they enforced most aggressively. This article draws on a data set of publicly available GDPR enforcement orders issued by European Data Protection Authorities (DPAs) during the first 24 months of the GDPR implementation, through May 29, 2020, as compiled by European law firm CMS. In addition to the current 27 EU member states, this data set includes enforcement orders issued by the United Kingdom (an EU member state at the time of GDPR implementation in 2018, which passed a Data Protection Act in 2018 implementing the regulation) as well as those issued by the Norwegian Supervisory Authority. Even though Norway is not an EU member state, as part of the European Economic Area, it also implemented the GDPR through its Norwegian Personal Data Act in 2018. By analyzing this initial set of GDPR enforcement orders, this article aims to assess how different European countries have wielded the penalties established by the GDPR and what the focus of those DPAs has been during the two years of the regulation's implementation.

Understanding how EU member nations are implementing and enforcing the GDPR is important because the GDPR is a lengthy and complicated regulation—it spans 11 chapters, 99 articles, and lays out a wide variety of requirements for data controllers and processors, as well as rules regarding how data may be transferred and the associated penalties and liability for violations. However, it leaves considerable leeway to individual nations and DPAs in determining how the administrative fines for GDPR violations will be calculated and imposed. This lack of clarity in the regulation is especially significant because fines under the GDPR can be as high as 4 percent of a company's “total worldwide annual turnover of the preceding financial year.” This cap marks a stark departure from the previous EU data protection mandate, governed by the 1995 Data Protection Directive (DPD), which provided no uniform guidance on fines and instead allowed each member state to determine its own penalties within its individual national laws. For instance, prior to the implementation of the GDPR, the Spanish DPAs capped their fines at €600,000, the French Commission nationale de l'informatique et des libertés (CNIL) DPA had a maximum fine of €150,000 for a first-time offense or up to 300,000 euros for a repeat offender, whereas the United Kingdom's 1998 Data Protection Act (which has since been superseded by the 2018 Data Protection Act, which is in line with the requirements of the GDPR) capped fines for violations at 500,000 GBP.¹ By comparison, the GDPR caps the largest administrative fines at €20,000,000 or 4 percent of annual revenue—whichever is higher. But the fact that the GDPR allows for significantly larger fines than the previous data protection laws in EU member states, does not necessarily mean that states will choose to exercise their ability to issue those larger fines. Similarly, the GDPR covers a much wider range of data use and processing restrictions than the DPD and the national laws that resulted from it, and it was not clear at the time of the GDPR's implementation which of those many provisions DPAs would take most seriously or enforce most stringently, given their limited resources.

This analysis aims to take an early look at how DPAs in Europe have exercised their vastly expanded fining powers since the implementation of the GDPR through May 2020, spanning the first 24 months of the regulation entering into effect. The implementation of GDPR penalties during this period is not necessarily representative of how DPAs will continue to exercise their authority under GDPR moving forward, rather it presents an early snapshot of how European countries first interpreted and applied the provisions of the regulation. Notably, in some EU states, DPAs informally indicated that they would offer a brief grace period or would focus on more egregious or extensive violations of the GDPR in the first few months of its implementation. For instance, Italy announced it would “take into consideration the phase of first application” of GDPR fines for a period of eight months.² This suggests that the enforcement patterns might have intentionally shifted over the first two years of the regulation's implementation as DPAs began exercising their authority more aggressively over time. Different countries adopted different approaches during this timeframe, with some immediately looking to issue significant fines, whereas others took a more cautious approach. In fact, during the period of this analysis, four EU member states—Croatia, Estonia, Luxembourg, and Slovenia—did not impose any public fines under GDPR whatsoever. Although the 24-month period looked at here does not necessarily dictate how the GDPR will be applied in the future in Europe, it does shed some light on the different models for how regulations of this nature may be implemented in other places. This is a matter of particular relevance as other nations may look to GDPR as a model for their own data protection regulations. This early analysis also provides a lens to assess which of the many provisions and articles in the GDPR the EU member states view as most important and deserving of aggressive enforcement. This may be useful both to companies trying to learn from the issued enforcement orders and to other countries deciding how to scope and define their own regulations in this space. Importantly, this analysis does not aim to study the dissuasive effects of fines on data controllers or processors or draw any conclusions about links between the severity of offenses and the size of the resulting fines.

Although European DPAs have considerable freedom to determine their own fine models and penalties, GDPR Article 83, “General conditions for imposing administrative fines,” mandates that the DPAs ensure that individual fines issued under the GDPR be “effective, proportionate and dissuasive” and further lays out 11 criteria that DPAs should consider when determining whether to impose a fine and how large that fine should be. These are (1) “the nature, gravity and duration of the infringement … as well as the number of data subjects affected and the level of damage suffered by them;” (2) “the intentional or negligent character of the infringement;” (3) “any action taken by the controller or processor to mitigate the damage suffered by data subjects;” (4) “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them;” (5) “any relevant previous infringements by the controller or processor;” (6) “the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;” (7) “the categories of personal data affected by the infringement;” (8) “the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;” (9) compliance of the controller with previous measures ordered against it; (10) adherence by the controller to “approved codes of conduct” or “approved certification mechanisms”; and (11) “any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.” Moreover, Article 83 lays out two distinct tiers of fines, providing some indication of which elements of the GDPR the EU regard as most important or deserving of the highest fines. The first tier applies to violations of Articles 8, 11, 25–39, 41, 42, and 43 and is capped at 10,000,000 Euros or 2 percent of total global annual revenue (whichever is higher). The second tier is capped at 20,000,000 Euros or 4 percent of global annual revenue and encompasses violations of Articles 5, 6, 7, 9, 12–22, 44–49, and 58.³ The titles of these Articles are provided in Table 1.

List of GDPR Articles That Companies May be Fined for Violating

Although there are 42 different articles of the GDPR that may result in fines, as listed in Table 1, during the first 24 months of the regulation's implementation, European states issued fines pertaining to violations of only 22 different articles (these are denoted with asterisks in Table 1). This speaks to the importance of studying the actual implementation of such broad and expansive legislation to understand not just what it says but which parts of it are actually being taken up and enforced by DPAs. Additionally, many of the articles of the GDPR outline requirements for data processors and controllers that are open to considerable interpretation by the DPAs. For instance, Article 5 lists the “Principles relating to processing of personal data” as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. Violations of these principles can result in the highest fines permitted under the statute (Tier 2) but several of these high-level principles, which constitute the key pillars of the GDPR, are open to considerable interpretation by DPAs as to what they actually mean in practice. What constitutes fair and transparent data processing? Or sufficient safeguards to protect data integrity and confidentiality? The regulation itself is light on specifics, so to answer these questions data processors and controllers must look to enforcement actions. Understanding the implementation of this uniquely forceful and extensive data protection regulation is a crucial window not just into how DPAs are interpreting these provisions but also into the issues that data protection laws in other places may want to address and the importance and urgency that the member states attribute to the different elements of the GDPR. This article is organized as follows: The next section provides an overview of related research on the GDPR and use of fines and penalties in data protection policies, the third section describes the data set of GDPR enforcement orders analyzed here, the fourth section describes the results of this analysis, the fifth section offers some discussion of the relevant takeaways from this analysis, and finally, the conclusion provides some discussion of the limitations of this work as well as discussion of directions for future research on related issues.

Related Work

Previous work on GDPR implementation and the use of fines to penalize companies for data privacy and security violations has examined the first year of the implementation among the EU member states. One early work by Catherine Barrett explores the first year of enforcement and the 91 fines that resulted from 15 EU member states.⁴ In Barrett's early analysis, she notes that “DPAs—at this stage—want to change the perception of data protection, to view data as an asset to be protected.”⁵ She found that, in general, DPAs did not issue fines that hit the maximum allowable amount, which is substantiated in this work. However, when the fines did reach a higher level, DPAs have tended to follow European Court of Justice guidelines.⁶ These guidelines suggest that higher fines should be applied when one or more of four conditions exist.⁷ Barrett explains these conditions:

These conditions are often reflected in the wording of violations published by different authorities, as shown in subsequent sections. Barrett's prediction that well-staffed DPAs such as France, Germany, Ireland, Italy, Poland, and Spain may be significant driving forces to “process complaints and issue fines more quickly than less-resourced countries,” has proved mostly true, especially in the case of Spain (see Table 2).⁹ Barrett's suggestion that Ireland will play an outsized role among all EU members has yet to prove accurate as Ireland has only levied a single fine (although it does fall in the higher threshold of fines) in the last month of the two-year period the GDPR has been in place, which doesn't allow the current work to fully assess the impact of this particular fine on the actions of other EU members.

Number of GDPR fines and total sum of fines issued by country.

Another early work by Basin et al. provides a new methodology for determining GDPR compliance algorithmically. They propose “exploiting the formal notion of a business process model as a bridge between a system implementation and the GDPR.”¹⁰ In order to do this, Basin et al. provide a methodology by decomposing audits into verifying the compliance of an implementation to a process model, of a process model to a privacy policy, and of these latter two to the GDPR itself.¹¹ Each business process is converted to represent one or more purposes for which data are collected and used as defined by the GDPR. Thus, they are able to determine through their algorithm whether a purpose is served and when the corresponding process has terminated.¹² They explain:

Although this can be extremely useful for DPAs to enforce sections of the GDPR with more uniformity, given the algorithm, there is little evidence in our work that such uniformity exists in the processes of implementation used thus far. This work attempts to examine the similarities and differences in how DPAs have enforced the GDPR. Although the work of Basin et al. is necessary for helping to create a more consistent method of implementation, our analysis shows that DPAs continue to exercise their fining authorities very differently and interpret and implement the types of violations in a wide variety of ways.

According to a publication by the nonprofit, Open Rights Group, complaints to DPAs by the public are one of the main origins of GDPR fine results.¹⁴ Investigating the first 10 months of GDPR implementation, the article in GDPR Today shows the numbers of complaints for 10 EU countries. The statistics show that the United Kingdom's DPA received by far the largest number of complaints, whereas Cyprus had the least (see Figure 1).¹⁵ The article notes that because DPA responses vary widely, it makes comparative analysis using complaints difficult.¹⁶ To address this, the authors suggest that the European Data Protection Board should develop protocols that would require DPAs to publicly report these comparable figures at regular intervals.¹⁷ It is also evident from this data that the number of public complaints does not seem to have a correlation with the number of fines ultimately reported publicly by DPAs. Taking the United Kingdom as an example, although the reports from the Information Commissioner's Office (ICO) state that they have resolved more than 39,000 complaints made by the public in 2019, there are only three fines noted in the database used for this work.¹⁸ Similarly, the French CNIL quotes receiving over 11,077 complaints in 2018 yet only implemented five fines.¹⁹ It is difficult to find reliable complaint numbers from several countries, for example, Spain and Ireland, with the information readily available to the public. This makes analysis of the relationship between complaints and fines difficult to accomplish and therefore not useful in this work.

Other work, more generally, has examined why regulators have been reluctant to issue fines for certain types of violations. For instance, Golla notes that “violations of Data Protection Laws are often not regarded as important enough to take steps against them, especially if they do not affect financial interests and do not involve ‘sensitive’ areas of life such as financial matters or the workplace.”²¹ He argues that DPAs struggled to issue fines under the DPD in part because they serve a supervisory role to data processors that is “based on a cooperative and consulting approach” and requires “mutual trust between authorities and data controllers” that is harder to establish “if there is a latent threat of imposing administrative fines.”²² Golla's analysis of the GDPR suggests that the regulation will do “little” to incentivize data subjects and DPAs to initiate investigations into possible data protection violations, particularly since individuals reporting such incidents are unlikely to benefit from these investigations. (In the case of DPAs, the situation is somewhat more complicated—some DPAs do, in fact, keep a portion of the fines they institute to cover operating expenses, while others do not). Golla concludes by highlighting the uncertainty around how the fining under the GDPR will actually be implemented by member states and whether these fines will make a significant difference to the relatively low level of fining activity in Europe under the DPD. He writes:

This analysis is not a comparative study of pre- and post-GDPR fining activity, in part because there are few effective controls available to allow for meaningful comparisons over that period. In that regard, it is not meant to respond to the open question that Golla raises around how much the GDPR actually changed the fining activity among European states. However, it does engage with the secondary question posed by Golla's work around the impact of the upper bounds on fines set out by the GDPR and whether “higher fines will be imposed on a regular basis” following the regulation's implementation.

Grant and Crowther's analysis of the United Kingdom DPA, the ICO examines how that authority made decisions about instituting monetary penalties related to privacy and security violations prior to the implementation of the GDPR.²⁴ Like Golla, they note that fines are relatively rarely used in the context of data protection issues, writing, “fining does not seem to have been embraced as whole-heartedly in the privacy arena as it has been in the enforcement of many other state-regulated activities. When looked at in the context of the amount of personal data that is processed, issuing sanctions is still a relatively rare occurrence.”²⁵ Grant and Crowther also note that the ICO, which they designate as “one of the more active [DPAs] in terms of the fines it has issued,” focuses its fines almost entirely on “traditional security breaches” rather than privacy violations, leading the authors to question how effective such fines are for “enforcing privacy on a wider scale.”²⁶ They also question the effectiveness of ICO fines as potentially too small to be effective, noting that the largest penalties imposed by the Federal Trade Commission (FTC) in the United States on tech companies at the time were significantly higher than any imposed by the ICO, or other European DPAs, and that the EU Competition Commission was able to impose significantly higher fines “of tens or even hundreds of millions of euro” than any of the DPAs.²⁷ They conclude that “Fines would appear to be at their most effective in cases where there has been an element of choice on the part of the data controller, which then led to a breach,” a recommendation that appears to be in line with the second fining criteria in the GDPR specifying that DPAs must consider “the intentional or negligent character of the infringement.”²⁸ Grant and Crowther argue that this could be an effective mechanism for handling privacy choices, in addition to those related to security, despite the ICO previously focusing primarily on the latter category, writing that “this could be a choice as to whether to devote attention and resources to data privacy—to write policies or update the IT system—as opposed to overlooking this area and spending the resources elsewhere.”²⁹ By analyzing the specific articles of the GDPR that have been violated and resulted in fines, this study is intended in part to look at whether the GDPR and its broadened set of data protection rules have in fact expanded the use of fines to more privacy-oriented violations, beyond just security ones.

Other related research has highlighted the inability of European DPAs to institute sufficiently large fines to change the behavior of major data processing companies. For instance, Houser and Voss undertook a comparison of pre-GDPR data protection enforcement actions in the EU and the United States against Google and Facebook, concluding that “While there have been hundreds of [European] enforcement actions taken against U.S. tech companies in recent years, the low maximum fines permitted … have not been substantial enough to force change in the way these tech companies collect and utilize data. This will change with the extraterritorial jurisdiction and enormous fines possible under the GDPR.”³⁰

Solove and Hartzog evaluate the role of the FTC in the United States for investigating and punishing privacy violations, noting that although there have been some significant fines levied by the FTC against tech companies, “the FTC lacks the general authority to issue civil penalties and rarely fines companies for privacy-related violations under privacy-related statutes or rules that provide for civil penalties.”³¹ Furthermore, they point out, the FTC, in its role as a consumer protection agency, is bound by its own limitations when it comes to issuing fines that cannot exceed “the amount of consumer loss.” This means that “when the FTC does include fines, they are often quite small in relation to the gravity of the violations and the overall net profit of the violators,” Solove and Hartzog argue.³²

Finally, an additional area of research related to the GDPR focuses on its controversial “right to be forgotten” provisions under Article 17 and the concerns about unintended consequences of requiring companies to comply with requests made under these provisions.³³ The potential for companies' refusal to do so to result in significant fines was a particular source of concern to some critics of the right to be forgotten who feared it might make companies more inclined to acquiesce to take-down requests than risk facing a significant financial penalty.³⁴ The “Right to be Forgotten” became a source of concern for companies in May 2014, prior to the implementation of the GDPR, following a landmark ruling by the European Court of Justice.³⁵ However, Bertram et al. consider in their analysis the effect of the GDPR on the implementation of this ruling.³⁶ Bertram et al. posit that “the steep decline in directory-related sites after May 2018 is likely the result of the GDPR coming into effect … 80% of previously requested directory sites had no subsequent delisting requests.”³⁷ Of the top 500 directory domains by request volume, only 54.6% remained online after the GDPR came into effect.³⁸ As Article 17 is one of the articles that has received some attention from DPAs during the period of this study—with ten enforcement actions taken by seven different countries against data processors for failure to comply with its requirements—this analysis also engages with some of those concerns raised in previous work and yields some early clues of how significant the financial risk is to companies who fail to comply with the Article 17 right to be forgotten provisions.

Data

The data used for this analysis is a set of 261 enforcement orders issued publicly by DPAs under the GDPR from May 2018 through May 2020. Importantly, this data set does not necessarily include every enforcement action made under the GDPR since not every DPA issues its reports publicly. This is a significant limitation of this analysis because it relies exclusively on publicly issued GDPR enforcement actions. Despite this limitation, the publicly available set of enforcement orders can yield some interesting initial insights into how different DPAs are exercising their authority under the GDPR. We rely on a data set of enforcement orders collected by European law firm CMS through its online Enforcement Tracker website (available from enforcementtracker.com) launched in 2019 under the oversight of CMS partner Johanna Hofmann. CMS is an international law firm headquartered in the United Kingdom with additional offices in 17-member EU states (Austria, Belgium, Bulgaria, Croatia, Czech Republic, France, Germany, Hungary, Italy, Luxembourg, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, and Spain). Hofmann said CMS member firms in European countries working on data protection issues were the main source of information for the Enforcement Tracker, though some fines were also reported through the site by outside individuals through a reporting tool available on the website. She emphasized that the Tracker is incomplete because many DPAs choose to keep some of their investigations and enforcement actions secret and CMS chose only to include penalties in its database for which the full order issued by the DPA was available to the public. We further removed from the CMS database all such orders for which the date issued was unknown or the size of the fine was unknown, resulting in a total of 261 enforcement orders during the period from July 2018 through May 2020.

The enforcement orders compiled by CMS are coded by the firm according to the country that issued them, the size of the fine, the article (or articles) of the GDPR that the violation pertains to, the controller or processor being fined in the order, and the specific type of violation at issue. For the time period studied, there were nine such types of violations designated by CMS:

• Insufficient legal basis for data processing;

• Non-compliance with general data processing principles;

• Insufficient cooperation with supervisory authority;

• Lack of appointment of data protection officer;

• Insufficient fulfilment of information obligations;

• Insufficient fulfilment of data subjects' rights;

• Insufficient data processing agreement;

• Insufficient fulfilment of data breach notification obligations; and,

• Insufficient technical and organizational measures to ensure information security.

This analysis uses the data set of compiled enforcement orders and coding done by CMS to build on their database and identify trends in enforcement by country, GDPR article, violation type, and the sums of issued fines during the early months of the GDPR implementation to identify areas of interest to specific DPAs, the extent to which fine sizes align with the tiers laid out in the GDPR, and the different models of implementation in terms of speed and frequency of fines that different nations undertook in the immediate aftermath of the GDPR going into effect in May 2018. The results of this analysis are presented in the following section.

Results

The analysis of the CMS data set of publicly available GDPR enforcement actions is organized as follows: First, we discuss the trends in enforcement activity over time both in terms of how many fines are issued, how large those fines are, and to which articles of the GDPR they apply. Next, the enforcement actions are broken down by country and evaluated at that level. Finally, the orders are discussed by article of the GDPR that they pertain to. In the final section of results, we discuss the largest fines issued under the GDPR and, in particular, what we can learn from these outliers.

Fines and Enforcement Actions Over Time

There were no clear trends in the enforcement activity by month or the sum of the fines issued each month during the course of the study, as shown in Table 3. Figure 2 shows the average fines mapped by country, demonstrating the wide range of penalties issued by different states during this period.

Breakdown of GDPR enforcement actions by month.

There does appear to be a relatively gradual upward trend over time, in terms of how many fines are issued though it's difficult to determine whether the fines are increasing in size as well given the small sample size and the fact that several outlier fines clearly significantly influence the totals and averages by month. These include the €50,000,000 fine levied by France against Google in January 2019, and the fines levied by the United Kingdom ICO in July 2019 against Marriott International for £99,200,396 and against British Airways for £183,390,000. These are the three largest (public) fines issued under the GDPR during the period in question; however, another eight fines were issued for more than €1,000,000 during that period, as shown in Table 4. These fines are discussed in more detail in the subsequent section on outlier fines over €1,000,000.

Violations by Type and Associated Total and Average Fines

Over time, there does appear to be a growing focus by DPAs on enforcement orders tied to violations of security protection requirements, as opposed to privacy requirements. This can be observed by focusing on the five GDPR Articles that are most commonly invoked in enforcement orders during the period in question: Articles 5, 6, 13, 15, and 32. These are the only five provisions of the GDPR that are linked to more than 10 enforcement activities during the period from July 2018 through May 2020, with 128 orders tied to violations of Article 5, 107 linked to violations of Article 6, 28 for Article 13, 20 for Article 15, and 62 for Article 32. (Several enforcement orders cite violations of more than one article of the GDPR, so the total number of violations per article add up to more than the total number of enforcement orders). Articles 6, 13, and 15 relate primarily to privacy protections, Article 32 relates primarily to security protections, and Article 5 relates to both. Of the 128 violations of Article 5 reported in enforcement orders, 21 are violations of Article 5(f), which governs confidentiality and integrity of information, whereas the other 107 are violations of the other elements of that article which pertain primarily to privacy protections. Notably, violations of all these articles result in Tier 2 fines (the highest cap) except for Article 32, which is in Tier 1, with a lower cap on resulting fines. The initial months following the implementation of GDPR saw relatively few enforcement orders targeting violations of Article 32 or Article 5(f), however, those violations grew to be a larger proportion of the overall enforcement activity over time, as shown in Table 1. This increasing emphasis on security violations is striking partly because data security had previously been the focus of most fining activity, as discussed by Grant and Crowther. The initial interest in enforcing the GDPR appeared to swing in the opposite direction, toward enforcing its privacy requirements, but then, over time, seemed to shift back toward security.

Despite predictions that the significant increase in fine caps laid out in the GDPR would result in much larger fines for data protection violations, during the period of this study, fines were most frequently issued by DPAs in the range from €1,001 to €10,000, as shown in Table 5.

Number of GDPR fines issued within size ranges.

Indeed, the large majority of fines issued are under €100,000, suggesting that the GDPR may not have had as significant an effect on the size of data protection fines as some predicted. Even if the fines have increased from prior to the GDPR, most are still well within the ranges permitted by previous regulations in European nations under the DPD. However, over time, beginning about one year after the GDPR implementation date, there do seem to be a growing number of fines larger than €100,000, and even those larger than €1,000,000, as shown in Figure 3. Interestingly, although the majority of fines are issued for violations of privacy measures in the GDPR, several of the largest fines in these categories are directed at security violations under Article 32 and 5(1f) as discussed in more detail in the subsequent section on Fines and Enforcement by Article. This suggests that the uptick in larger fines toward the end of the period of study may be linked to the uptick in security-related enforcement actions as well. It will be interesting to see whether DPAs continue to become increasingly comfortable issuing these larger fines, or whether smaller fines remain the clear majority of data protection and whether there continues to be any correlation between security violations and larger fines.

Fines and Enforcement by Country

DPAs in different European countries approached the implementation of GDPR in very different ways. During the period of study, many of these DPAs were still involved in investigating incidents that occurred under the previous data protection legal regime of laws passed under the DPD, so there were other data protection fines levied during this time under those laws which may explain, in part, why so many countries issued so few fines under the GDPR. Additionally, many countries have mechanisms for issuing private penalties under the GDPR in some circumstances, which may also account in part for the low numbers. Interestingly, the countries that issued the largest numbers of fines under the GDPR during this period (Spain, Romania, Bulgaria, and Hungary) did not issue the largest sum total of fines, as shown in Table 2. Instead, the United Kingdom, France, Italy, and Germany issued the largest sum total of fines (as well as the largest average fines). It is notable that countries that issue the most fines do not, in general, issue the largest fines because it suggests that aggressive GDPR enforcement through multiple enforcement actions is distinct from aggressive enforcement through large penalties.

Generally, the European countries can be divided up into roughly four categories during this period based on their approaches to the early implementation of GDPR. The first category would be countries like Spain, Romania, Bulgaria, and Hungary that each enforced more than a dozen fines against data processors and controllers, but did so at relatively modest levels (with the exception of Bulgaria, whose average fine was close to €200,000, the other three countries average under €40,000 per fine). The second group is made up of countries that focus their attention on enforcing fewer, larger fines, including the United Kingdom, France, Italy, Austria, Sweden, and Germany, all of which averaged fines of more than €1,000,000 despite the fact that only 11 fines of that size were issued during the entire period (ten of them by those five countries, in addition to one issued by Bulgaria). The third—and largest—group imposed a fairly small number of relatively small fines. This includes the Czech Republic, Belgium, Greece, Cyprus, Poland, Portugal, the Netherlands, Latvia, Norway, Ireland, Finland, Iceland, Denmark, Malta, Lithuania, and Slovakia. Meanwhile, the fourth group of countries, composed of Croatia, Estonia, Luxembourg, and Slovenia, imposed no public fines at all during this period. This suggests that the majority of European countries were noticeably cautious in their implementation of the GDPR, choosing not to exercise the regulation's fining authorities anywhere close to their upper limit, but instead issuing small, infrequent fines similar to the types of penalties issued prior to the implementation of the GDPR.

Several countries were fairly consistent in terms of which types of violations they chose to enforce. Spain, for instance, issued 73 different fines during this period but nearly half of them (33) were issued due to violations of Article 6 of the GDPR on the grounds that the processor had “insufficient legal basis for data processing” (e.g., processing a user's data without their consent). Another 19 were issued due to “Non-compliance with general data processing principles” under Article 5 (e.g., angling security cameras so that they unnecessarily included footage of public spaces in violation of the principle of data minimization), and 7 others were issued due to “insufficient fulfilment of information obligations” (e.g., providing inaccurate or incomplete privacy policies to users) under Article 13 of the GDPR. Of the remaining 14 violations, 10 were due to “insufficient technical and organizational measures to ensure information security” under Article 32, whereas the last four were issued because of “insufficient cooperation with supervisory authority” under Article 31 and Article 58. In other words, Spain concentrated the bulk of its enforcement actions on privacy violations. By contrast, the three (much larger) fines levied by the United Kingdom were all issued for violations of Article 32 to companies that had insufficient security measures in place, suggesting that the ICO was more focused on security enforcement actions. Interestingly, although violations of Article 32 fall into the lower tier for fines under the GDPR, capped at 10,000,000 Euros or 2 percent of the organization's total global annual revenue (whichever is higher), they still yielded some of the largest fines under GDPR. In fact, the United Kingdom's •183,390,000 fine of British Airways probably came closest to actually reaching the GDPR fine caps as it totaled roughly 1.8 percent of the company's annual global revenue from the preceding year.

Spain, which had one of the highest possible fines under the directive before the implementation of the GDPR, has consistently levied fines that were far below either the GDPR or their former laws allowed. Before the GDPR came into force, the data protection authority of Spain had one of the highest possible fines. According to Article 45 of the Organic Law 15/1999 of 13 December on the Protection of Personal Data, fines were classified into three tiers, “minor infringements, serious infringements, and very serious infringements.”³⁹ The minor infringements started at about €600, whereas the very serious infringements could result in fines up to €600,000. Spain has issued 73 fines in the two-year period that the GDPR has been enforceable. Of those 73 fines, 67 of them were fineable by the highest possible tier according the GDPR. Not one of them surpasses the previous fine limit, let alone comes close to the possible €20 million (or 4% of annual revenue) cap of the tier two fines. This pattern reflects the general tendency to maintain smaller fines but indicates that the frequency with which member states levy fines has increased due to the passing of the GDPR.

Italy has levied three of the 11 largest fines (over €1,000,000). Before the GDPR, the Italian Personal Data Protection Code stated that for “Less Serious Cases and Aggravating Circumstances [t]he fines referred to in this Chapter may be increased by up to four times if they may prove ineffective on account of the offender's economic status.”⁴⁰ This indicates that the Italian DPA has considered a company's annual turnover as a factor in determining a fine amount. In contrast to the case of Spain, a few countries appear to levy larger fines related to articles involving data security. For the largest of Italy's fines, they each cited “Insufficient legal basis for data processing” violations and listed Articles 5 and 6, which fall under the higher tier of fines. These three fines are each relating to the unsolicited commercial or advertising using the personal data of European citizens. Although other states, like the United Kingdom, have issued fewer larger fines related to violations of security, Italy has levied some its largest fines for privacy violations (the largest of the three, however, is a combination of privacy and security concerns and is discussed in the Outlier section below).

With only five fines on public record, France is another interesting case. Of interest is the French DPA's (CNIL) history of higher fines in terms of the economic status of the companies. Of the five fines, three of them are among the highest percentage of annual turnover. Specifically, the €500,000 fine against Futura Internationale that amounted to about 2.5% of annual turnover and the €180,000 fine against Active Assurances, which equaled about 1.6% of annual revenue. The Futura Internationale violation fell into the highest cap of violations and could have been as high as €20 million. The fine against Active Assurances could have been up to 2 percent or €214,190. This indicates that the CNIL is not hesitant to administer large fines whether the violation is based on privacy or security-related indiscretions. Both of these companies serve strictly European citizens, not global clients, which is interesting when compared to the largest fine CNIL imposed against Google, a global tech company. Although the fine against Google is the largest in sum, it only amounts to about 0.35% of Google's annual revenue, not significantly close to the possible 4 percent maximum fine.

When it comes to the breakdown of how DPAs determine the amount of a fine, there is scarce information available to the public. Only two countries, Germany and the Netherlands have a clear system for deciding how much a violation can be fined. Explained on the CMS Enforcement Tracker, the Netherlands has designated four categories to estimate the size of the fine, based on severity of the violation. These four categories are as follows: Category I includes simple violations such as lack of information about DPO in privacy notice, Category II includes lack of fulfillment of certain processing requirements such as missing processing agreements with processors, Category III includes violations such as failure to notify data breaches or noncooperation with DPAs, and Category IV which includes severe violations such as unlawful processing of special categories of data. Using this estimation, on the basis of severity of violation, Category I fines can be between 0.00€ and 200.000,00€ (Default fine: 100.000,00€). Category II would be between 120.000,00 € and 500.000,00€ (Default fine: 310.000,00€), Category III can be between 300.000,00€ and 750.000,00€ (Default fine: 525.000,00€), and Category IV can be between 450.000,00€ and 1.000.000,00€ (Default fine: 725.000,00€). When examining the five fines levied by the Netherlands DPA, one fine was levied under Category I, one under Category II, two under Category III, and one under Category IV. The fine falling under Category IV was issued in regard to a security concern involving the health data of employees of an insurance service provider, which does prove to follow the categorical system set in place regarding health data. Most of the fines that the Netherlands has issued do seem to follow the estimation by category. However, it does not appear that other countries follow this categorical system.

Germany, however, has a slightly more complicated equation to determine a possible fine size, including the company's average annual revenue, whether the infringement was formal or material, and severity of infringement. The German DPA also provides examples for possible arguments for reduction or increase of an average fine for the severity and company size. Arguments for reduction could include first time offenders, negligence, effective cooperation, and measures taken to reduce damage, whereas arguments for increase could include repeat offenses, lack of cooperation and inaction, or intent. For example, a company like Delivery Hero, whose annual revenue in 2018 was 369 million euros, which committed a material infringement of Article 83, of light severity, the estimation would be a fine of around 694,444 euros. However, the actual fine was issued at only 195,000 euros. Nor, would this fine fit into the Netherlands' category system as the violation would fall into Category II, but the amount is in the lower category amount. This difference may indicate that the equation determined by Germany tends to be more strict than actual implementation. Many other fines levied by the German DPA tend to support this finding. Thus, methods to attempt to formalize the issuance of fines are still at its early stages and are not necessarily an accurate indicator of the final amount of a fine.

There are several instances of repeat offenders among the cases studied in this work. In general, the data suggest that repeat offenders are most often cited for separate violations in each of the fines. Rarely are the repeat offences related to each other or the inability of the processor to cooperate with the demands of the authority during the first fine. Instead, they appear to be separate infringements that have no relation to the other, and therefore do not appear to have an effect on the size of the succeeding fine. For example, Google has been fined on separate occasions by different member state authorities. None of these violations appear to take into consideration the other fines imposed by neighboring authorities when deciding the size of the fine against the global company. Interestingly, Spain has imposed 21 different fines against the telecommunications company Vodafone during the time examined. Most of these fines are in response to individual complaints and have little relation to each other. There are, however, a few fines that suggest that the AEPD began investigations due to separate complaints, which each resulted in unique fines, which in turn informed a fine of more wide scope. For instance, the fine on January 9, 2020, of €3,000 lists the type of violation as insufficient cooperation with supervisory authority and explains that the company did not provide requested information in a timely manner. This fine is a smaller one, compared to the average of €48,286 of the other 20 fines and indicates that in most cases the fines were not related to each other. One notable exception is the Spanish fine against Telefonica which cited insufficient cooperation with supervisory authority for one of the offences committed by the company. Figure 4 shows the total count of all repeat offenders. The graph counts each of the incidents of repeat offences, including the original.

Fines and Enforcement by Article

Beyond providing DPAs with the authority to issue much larger fines than ever before, the GDPR also expanded the requirements and expectations that applied to data processors and controllers. Fines can be issued for violations of 42 different Articles of the GDPR, however, during the period of this study, only half of those articles were actually cited by DPAs in public enforcement orders, as shown in Table 6.

Violations by Article of GDPR and Associated Purpose and Penalties

Which articles DPAs chose to enforce most frequently and most aggressively yields some insight into which of the many components of the GDPR regulators were most eager to act on in the immediate aftermath of the regulation's implementation. The most frequently cited articles in enforcement actions were Articles 5 and 6 which lay out the “Principles relating to processing of personal data” (lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability) and the conditions for “Lawfulness of processing” (consent; contract; compliance; vital interests; official authority; legitimate interests), respectively. With the exception of five orders issued under Article 5 (1f) governing data integrity and confidentiality principles, all of the orders issued under both of these articles pertained primarily to privacy violations—including failure to obtain consent for processing, failure to minimize data appropriately, failure to process data in the manner described to users, and other violations pertaining to data subjects' privacy and control over their own personal data. By contrast, the third most commonly cited Article in enforcement orders during this study was Article 32, which outlines expectations for “Security of processing” (including pseudonymization, encryption, confidentiality, integrity and availability of processing systems, and the ability to restore availability to personal data in a timely manner, as well as regular security testing and evaluation). Strikingly, even though privacy violations were more commonly cited under the GDPR, security-related violations racked up by far the largest fines, and even the largest sum total of fines, by comparison to other types of violations (see Figure 4). This suggests that while DPAs may have branched out beyond the violations they had fined prior to the GDPR, they were often most comfortable imposing large fines for security breaches, the same type of incidents they had already been routinely issuing fines for prior to the implementation.

Although the frequency of article citations is useful for interpreting DPAs' priorities, it can also be misleading since many enforcement actions cite violations of multiple Articles. For this reason, it is also useful to look at the “type of violation” labels determined by CMS with regard to each fine. Figure 5 shows more violations simply because counting articles separately requires counting violations multiple times if they list several articles, while Figure 6 counts each violation once as there is only one “type of violation” per citation. However, when comparing Figures 5 and 6, it's clear that privacy violations are fined more often than security. The violation types and how many fines have been issued for each are listed in Table 7, along with the total fines levied and average fine size by type of violation. Here, again, we see that the most frequent type of violation to incur a fine is an “insufficient legal basis for data processing” (under Articles 6, 9, 21, or 35) for which a total of 98 fines were issued, totaling €110,858,422. But the largest volume of fines, and largest average fines, by far, were levied due to violations in which organizations implemented “insufficient technical and organizational measures to ensure information security,” totaling some 59 fines that amounted to €332,864,417. These averages are, clearly, influenced heavily by the outlier fines over €1,000,000 discussed in the following section. However, even removing the fines over €1,000,000 from the data set, yields average fines of €147,207.06 for penalties associated with insufficient security and average fines of only €25,781.46 for violations due to insufficient legal basis for data processing.

Total Amount of Fines by Purpose

Evaluating the types of violations fined most frequently and heavily underlines how much more willing DPAs were to levy large fines for security violations than privacy-centered violations concerning users' rights and legal basis for data processing, despite the GDPR designating most of those violations under Article 32 at a lower tier of fining than other types of violations. This trend toward larger fines for security breaches suggests that the legacy of the DPD era may continue to be significant even under GDPR and influence the types of infractions that DPAs are most determined to punish aggressively. On the other hand, the large number of privacy-related fines indicates that the DPAs in many countries are beginning to explore their newfound ability to regulate nonsecurity-related infractions and, in time, they may come to levy larger fines for those, as well, since that authority is clearly granted under the GDPR's fining tiers. These types of violations, particularly those due to insufficient legal basis for data processing and noncompliance with general data processing principles are also, in some ways, more ambiguous and open to interpretation than the security violations that stem from data breaches. This may also be one reason why some DPAs have been more reluctant to penalize the former type of violation as aggressively. This ambiguity may also be resolved with time as a larger body of enforcement actions and precedent is established to help determine the expectations of data processors and controllers.

Outliers: Fines over €1,000,000

As noted previously, the large majority of fines levied under the GDPR during this period were for sums of less than €100,000. However, some very large fines were also issued, including eleven fines of more than €1,000,000, listed in Table 8.

The GDPR fines over €1,000,000 imposed prior to May 2020

These fines deserve some attention in part because so much of the emphasis with the implementation of the GDPR was on how large the possible fines could be. As Golla noted of the GDPR, “The existence of a higher upper threshold does not necessarily mean that this threshold will ever be reached.”⁴¹ These outlier GDPR fines above €1,000,000 come closest to reaching those upper thresholds laid out in the GDPR and, in many cases, far exceed the fines that could be levied by the relevant DPAs prior to the passage of GDPR. A disproportionate number of these fines (four, or 36 percent) are linked to violations of Article 32 and insufficient security, despite such violations only making up roughly 25 percent of the overall set of enforcement orders. Those violations taken together also total more than all the other outlier fines combined (in fact, they total more than all the other fines in the data set combined!)

However, although the outliers are dominated by security violations, there are also notable fines issued due to violations of Articles 5 and 6 for what are clearly privacy-focused issues, rather than security ones. For instance, the third-largest fine issued under GDPR was a €50,000,000 penalty levied against Google by the French DPA CNIL for failing to make its privacy policy sufficiently clear and easily understandable to users. The relevant information for Google users about how their data is being collected and processed “is excessively spread out across several documents: ‘Privacy Policy and Terms of Service’, displayed during the creation of an account, and then the ‘Terms of Service’ and ‘Privacy Policy’ which are accessible subsequently through clickable links on the first document,” according to the CNIL complaint. The complaint continues:

Unlike the fines levied in the aftermath of security incidents, this complaint represents a genuinely new authority for CNIL and the other DPAs—to be able to penalize companies for failing to make information sufficiently easily accessible and clear to users. CNIL further notes that Google is not sufficiently specific when explaining the purposes for which citizens' data will be processed, deeming the company's description that it will “provide personalized services in terms of content and advertising, ensuring the safety of products and services, providing and developing services, etc.” to be “too generic” and “vague.” Although France's Google fine is unusual among the outlier GDPR fines for being both so large and simultaneously solely focused on privacy violations, it may provide a hint of what the future holds for DPAs as they begin to explore some of the more ambiguous and broader elements of the GDPR that go beyond traditional penalties imposed in the aftermath of data breaches and other security violations.

The fifth-largest fine levied upon TIM, a telecommunications operator in Italy, is also unique among the outlier fines because it sites both privacy and security related violations. This could result in a fine at the highest possible limit, however the fine amounts to approximately 0.18 percent of the company's annual turnover. The description of the legal action explains that the origin of this fine resulted from hundreds of complaints concerning unsolicited commercial communications made without the consent of the data subjects or despite their registration in the public register of objections, as well as the failure to respond to the those requests.⁴³ The Italian DPA states that the fine was imposed for: “lack of consent for marketing activities, addressing of data subjects who asked not to be contacted with marketing offers, invalid consents collected in TIM apps, lack of appropriate security measures to protect personal data, lack of clear data retention periods, among other things.”⁴⁴ The majority of the listed results of the DPA's investigation concern privacy violations, but do address how the security breaches are directly tied to and possibly stem from the privacy concerns listed above. When describing the punitive process of determining the amount to be fined under Article 83 of the GDPR, the DPA provided 12 considerations: the wide scope which affected approximately 2,000,000 customers, the seriousness of the violations detected, the significant duration of the violations, the malicious and grossly negligent nature of the conduct of the company, the existence of previous citations against the company, the existence of significant economic advantages available to the company, the cooperation with investigations and adoption of some measures suggested by the authority, and the loss of turnover.⁴⁵ The resulting €27,802,946.00 fine demonstrates one example of how the intersection of both privacy and security violations can be addressed by authorities.

Italy's other two fines above €1,000,000 were both imposed against the same company, Eni Gas e Luce. The two fines were both issued on the same day, December 11, 2019. The first fine was related to the unlawful processing of data in connection with telemarketing and tele-sales activities and is the larger of the two, whereas the second was related to infringements resulting from the conclusion of unsolicited contracts for the supply of electricity and gas under “market economy” conditions. In terms of multiple offenders, Eni Gas e Luce is unique in that both fines are above €1,000,000. Also, both fines are related to privacy violations and are well below the maximum limit, falling at 0.2 percent and 0.07 percent of annual turnover respectively. When deciding the first fine, the Italian DPA considered the wide scope of the processing and the high number of potential involved parties, the severity of the violation, the duration of the violation, the significantly negligent nature of the processing, the economic advantages of the company, and the limited measures adopted to mitigate the consequences of the violation.⁴⁶ For the second fine, the DPA states that the significant gravity of the violation, the significantly negligent behavior and degree of responsibility of the owner, the cooperation with the Guarantor, and the actions by the owner to mitigate or eliminate the consequences of the violation all resulted in the second fine being smaller than the first.⁴⁷

The fine imposed by Bulgaria upon the National Revenue Agency, while the smallest of the outlier fines, comes closest to the maximum possible under the first-tier limits. Reaching 1.3 percent of annual turnover, the violation pertains to a security violation. The Bulgarian DPA, CPDP, established that the Agency “in its capacity of personal data controller, did not apply appropriate technical and organizational measures, as a result to which unauthorized access, unauthorized disclosure and dissemination of several categories of the personal data of individuals”⁴⁸ was leaked. The categories of personal data include: “names, PINs and addresses of Bulgarian citizens, telephone numbers, e-mail addresses and other contact information, data from annual tax returns of individuals, data from inquiries about paid incomes of individuals, data from insurance declarations, data on health insurance contributions, data on issued acts for administrative violations, data on payments of taxes and insurance liabilities through Bulgarian Posts AD.”⁴⁹ The information “illegally accessed and disseminated on the Internet contained personal data of a total of 6,074,140 individuals” (2/3 of whom are living citizens and 1/3 are deceased).⁵⁰ The CPDP stated that “the fact that this data has been leaked to the public does not automatically mean that it has been misused, in so far as the misuse presupposes the commission of additional acts, which are in themselves separate crimes.”⁵¹ It is clear from the report by the CPDP that the significant number of citizens affected and the type of personal data that was leaked played a major part in the size of the fine and was considered a serious infringement of the GDPR regulations. This fine follows the patterns which indicate that DPAs are more likely to impose strong measure in cases of data leakages, irrespective of whether they involve public agencies or private companies. It is of note that the NRA was the subject of a second fine, less than a month later, in response to an individual complaint. This fine is significantly smaller, amounting to €28,100, and concerns a privacy violation of one citizen's personal data. It appears to be unrelated to the larger security fine.

One striking feature of the GDPR is its ability to reach international organizations that may not have headquarters in the EU. By requiring non-EU data controllers and processors that target individuals in the EU to comply with the GDPR guidelines, this ruling has the opportunity to have a far more reaching effect on global tech companies. Interestingly, however, while we are seeing more large international companies facing fines for violations, the majority of the fines in the past two years have been incurred upon companies headquartered within the EU, serving solely European clients. As a result, the fines that have been levied in the time period studied here have generally been heavier for smaller companies. Including the outlier fines above €1 million, in general, the smaller fines levied towards national companies tend to fall higher when examining the percent of annual revenue. Even though the largest fines are dizzying in size, they do not come close to the maximum limit, whereas the relatively smaller fines do come closer to hitting the maximum limit of 2 percent or 4 percent of the annual turnover amount. This indicates that the GDPR is still currently more of a threat to national European companies on the smaller scale than it is to giant international tech companies that might have more traffic and a larger impact on the world tech industry.

Conclusion

The most notable takeaways from public enforcement actions published during the early days of GDPR implementation relate to how differently DPAs in various European countries have approached the new regulation and wielded their authorities under it. Most countries have taken a decidedly cautious approach, levying fairly few fines and even then, restraining them to fairly small amounts, in many cases no larger than the fines they were able to issue prior to the GDPR. A few countries have seized on the opportunity to issue more fines and enforced several of the privacy provisions of the GDPR related to user consent, transparency, and data minimization through a series of several fines directed at different data processors and controllers. Other countries have instead taken advantage of the significantly increased caps on data protection fines under the GDPR and focused on issuing a small number of very large fines, often totaling more than €1,000,000 and directed at security breaches rather than violations of privacy principles and data subject rights. Still other countries have not yet issued any fines under the GDPR, preferring to take more time to deliberate on the best course of action and most effective strategy for implementing the regulation. While security fines are, on average, the largest of the penalties issued for violations, there were more privacy-focused fines issued overall by DPAs. Future work could investigate whether this pattern continues to hold true as DPAs become more comfortable with privacy violation enforcement actions and a clearer precedent emerges around what types of incidents relating to privacy are clearly in violation of the GDPR.

Notably, only half of the 42 articles under the GDPR that can result in fines have so far been cited in public enforcement actions. And the vast majority of fines are limited to violations of five Articles. This may, in some cases, reflect the priorities of DPAs investigating incidents, but it may also reflect which of these types of violations are most straightforward to detect and investigate. For instance, no public fines have yet been levied pertaining to overseas transfers of data or joint processing, perhaps in part because these are often more involved processes requiring more time to uncover. Further work could track whether the as-yet-unused Articles of the GDPR receive more attention from DPAs in the future or whether the articles identified by DPAs early on in the implementation process continue to be the most aggressively enforced moving forward. Additionally, this analysis is based on a partial set of data because it relies only on publicly available GDPR sanctions. This is a significant limitation and further work could aim to address this with more comprehensive studies that include analysis of non-public penalties if it is possible to collect this data in the future. Additionally, future studies might analyze the link between severity of violations and the size of fines, or aim to assess the dissuasive effects of such fines.

Overall, the expectations for the GDPR to bring significantly higher fines and significantly more aggressive enforcement of privacy-related violations seem to have been partially met during the 24-month period following the implementation of GDPR prior to May 2020. It is true that DPAs are issuing higher fines than they were previously able to, in some cases, though the vast majority of fines continue to be similar to before the GDPR. It is also true that the majority of fines issued under the GDPR are tied to violations of users' privacy and data subjects' rights—areas in which DPAs had considerably less authority to penalize data processors and controllers under the DPD and associated national laws. However, in many cases, these two trends do not appear to overlap. The largest fines are primarily geared toward security breaches, while the privacy-related fines tend to be smaller, if more frequent. This is despite the fine tiers laid out in the GDPR itself which designate many security violations with a lower fine cap than can be triggered through violations of several of the articles corresponding to privacy protections. For countries currently considering similar or related data protection legislation, the lessons of the early months of GDPR implementation suggest that it may be helpful to provide clearer, less ambiguous principles around data privacy that allow for easier enforcement by regulators, as well as more clearly defined fining guidelines that offer greater detail and guidance than just an upper limit on fines so as to enable greater standardization across DPAs.

FOOTNOTES

BIBLIOGRAPHY