When Amazon was slapped with a €746m ($726,1m) fine last year for violating the EU’s data protection rules, it more than doubled the size of financial penalties handed out under the bloc’s General Data Protection Regulation (GDPR) since it came into force in 2018. It also sent a clear message that European regulators are serious about holding companies to account for misusing customer data.
Amazon’s penalty – which it is currently appealing – is one of the more than 800 fines that European regulators have imposed so far for GDPR breaches. GDPR, which turned four in May 2022, was introduced to increase transparency around how companies collect data while giving consumers more control over how their data is used. Penalties for non-compliance can be steep – as much as €20m ($19.5m) or 4% of annual global turnover, whichever is greater.
The size of Amazon’s fine in July 2021 dwarfed the previous highest penalty – a €50m ($48.7m) fine for Google, which was upheld in 2020 by the French data protection regulator CNIL on the grounds that the US tech giant was not transparent enough about how it collected and used data for personalized ads. Meta-owned WhatsApp added to the growing number of mega fines in August when the Irish regulator – the Data Protection Commission – imposed a €225m ($219m) penalty for a series of cross-border data infringements.
At the end of January, European regulators had levied 854 fines worth almost €1.3 billion ($1.27 billion), according to Privacy Affairs’ GDPR fines tracker.
“One of the things that’s very clear is that the regulators across Europe are looking very closely at and targeting the big tech players,” says Fedelma Good, a director at PwC and co-lead of its data protection strategy for legal and compliance services.
Whether the size of the Amazon and WhatsApp penalties will stick is another matter. In 2019, British Airways was hit with a £184m ($203.7m) fine for a cyber breach that compromised its consumers’ data. That was a record amount at the time, but the UK’s data protection agency, the Information Commissioner’s Office, eventually reduced the fine to just £20m ($22m).
Regulators cracking down
However, some market participants reckon regulators are only going to get tougher on organizations that breach the rules.
“There is a high likelihood that the fines will be higher going forwards,” says Rebecca Tamegnon, senior legal counsel and global data protection manager at luxury hotel chain Kempinski Hotels. “It has been almost four years now, so businesses have had enough time to implement GDPR and so they should be much more educated. The regulator won’t be so lenient anymore.”
That is likely to make boardrooms nervous. Almost a third of companies said they are still not fully compliant with GDPR, according to Integreon’s 2021 Regulatory Readiness report. Part of the issue is that many corporates were slow to implement the rules in the run-up to 2018, with many leaving it until the last minute and often relying on poor advice, says Jagvinder Singh Kang, a partner at law firm Mills & Reeve and international and UK head of its IT practice.
“There was a scarcity of data protection practitioners in 2018 and so there are a lot of organizations that have been badly advised,” says Kang. “In the last year or two, we’ve had very large, multimillion-pound clients coming to us saying their UK GDPR compliance is in urgent need of addressing, due to failings that they have uncovered as a result of not having used specialists in the past.”
A frequent problem, he says, is that organizations have viewed GDPR as a simple box-ticking exercise. “That’s going to cause more issues because it provides a false sense of security, rather than advancing compliance.”
Another challenge is that organizations have been left to interpret the rules themselves, creating potential for confusion and misunderstanding.
“Regulators have been drip-feeding guidance which has sometimes then changed what organizations need to do in quite a significant way.”
Jagvinder Singh Kang of law firm Mills & Reeve
“Organizations have been left second-guessing whether or not they are compliant, while regulators have been drip-feeding guidance which has sometimes then changed what organizations need to do in quite a significant way – that is why you get many organizations feeling that UK and EU GDPR is getting in the way of doing business, as you need to be continually keeping on top of changes in the associated regulatory landscape,” Kang says.
GDPR’s ever-changing nature also makes it a challenge for organizations to maintain compliance with it.
“If we think of GDPR as a journey and not a destination, it’s very difficult for an organization to say, ‘As of today, we are compliant with GDPR’,” says Andrew Cooke, former general counsel at esports performance brand Fnatic.
Some organizations may decide to only partially comply with the rules in order to save money.
“While this is not true of Fnatic, businesses inevitably balance the opportunity cost against the investment and time required to tick every box in GDPR,” Cooke says. “Some companies may take the approach of keeping their fingers crossed and the front-end tidy but if you actually started to scratch at the surface, you would find that they are not complying with the core principles of GDPR and don’t have privacy-by-design as their first consideration.”
Financial burden
For those organizations striving to maintain compliance with GDPR, the impact has been significant. Almost nine out of ten global companies say they spend more than $1m a year on GDPR compliance, with 40% spending more than $10m, according to a PwC report.
Tamegnon said that, while Kempinski Hotels already had a strong data privacy culture before GDPR was introduced, it still requires a huge investment of time.
“It’s not a one-off task,” she says. “We have to keep updating our processes and policies in light of European Data Protection Board guidance, so it’s an ongoing and an endless project.”
The question is, four years since its introduction, has GDPR achieved what it set out to do? Yes and no, says Good.
“It has certainly increased people’s understanding and awareness of the value their personal data has now in the context of modern business, but it’s done that at a very heavy burden to business and with an outcome that doesn’t necessarily move consumers further forward in their day-to-day lives,” she says. “The heaviest burden has been in the context of changing business processes and being able to do so on a sustainable and an informed basis – the law at its surface might look black and white, but it’s not.”
Cross-border data transfers for EU-based businesses sending their data to non-GDPR jurisdictions has also become more burdensome following the ‘Schrems II’ European Court of Justice decision in the summer of 2020. Under that ruling, organizations transferring data outside of the EU must take extra steps to ensure it will be protected to the same standard as it would inside the EU.
One thing that might ease that burden: many other jurisdictions are fast adopting GDPR-like rules of their own. Countries such as China, South Africa, India, Thailand, and Australia are all either considering or preparing to pass data privacy legislation.
“Ensuring compliance with all the different data privacy laws is a big challenge for global companies but when you’re already GDPR compliant, you have a good base to start from,” says Tamegnon.
However, upcoming e-privacy regulation in the EU – which will toughen rules around cookies and digital marketing – will likely add another layer of complexity. And while the potential for UK GDPR to diverge from EU GDPR in the wake of Brexit could lighten the regulatory burden for some organizations – the UK government has suggested it might ease or even axe certain GDPR requirements, such as data protection impact assessments – that could undermine efforts to safeguard consumer data better.
“On the face of it, that might seem like a good thing to certain organizations – freeing businesses’ resources to do other things – but the downside is, if you dispense with these things, organizations are probably going to find it more difficult to comply with what the UK GDPR was aimed at promoting, including aspects such as transparency, data minimization, and accountability, so it’s an issue which is not going to go away,” says Kang.