Three years after the EU’s flagship GDPR law came into effect, regulators are now getting very serious about fining companies for data privacy breaches. A record fine handed out last month shows that the law is not a paper tiger.
GDPR was touted as the EU’s opportunity to lead the way in data regulation, creating a rulebook that other countries could adopt, either to meet the highest standards available or out of sheer need to do business.
in the internal market. Brussels has the ambition to be the ‘rule-maker’ rather than the ‘rule-taker’ in every sector it regulates, be it data, climate, transport or electronics.
First-mover advantage is more often than not worth its weight in gold.
However, the labyrinthine process of policy making and entrenched vested interests often allows others to steal a march to the EU and set standards long before Brussels gets its act together.
GDPR was largely an exception to that trend. Aside from the additional burden the regulations place on businesses, critics of the GDPR have also argued that the law gives national regulators too much leeway, allowing them to get rid of tech giants with small fines, so as not to deter business.
Little Luxembourg completely blew that latter theory out of the water in July, when it imposed a record €746 million fine against Amazon after data authorities found the e-commerce titan guilty of GDPR violations believed to be related to advertising practices.
Amazon has its EU headquarters in Luxembourg, so it’s a big blow to the company, which has indicated it plans to appeal the decision.
Given that the previous record fine was just ‘just’ €50 million that France handed out to Google, this is a clear indication that Europe is going to rein in tech companies by using the GDPR and the EU’s e-Privacy Directive as tools.
the. After all, the GDPR is not the only weapon in the regulatory arsenal.
However, Luxembourg is not a frontrunner when it comes to the number of fines.
That accolade goes to Spain, which has handed out 275 penalties in three years, while Italy and Romania also top the list with 76 and 61 penalties, respectively.
The number of fines could increase soon, as the EU’s highest court ruled in June that countries can start cases in other members of the bloc if there is legitimate urgency.
That was in response to Ireland’s claim that it was unable to keep up with the sheer volume of privacy complaints due to the number of major tech companies headquartered in Irish territory.
It is not just the national authorities that are starting to tackle bad practices.
A data protection watchdog for the German city of Hamburg urged this week that Zoom, the video conferencing platform made infamous by lockdowns, is allegedly violating the GDPR.
The city’s data protection commissioner Ulrich Kühn said in a statement that the use of Zoom “is associated with the transfer of personal data to the US” and warned the Hamburg Senate not to use the platform.
Zoom says its services are GDPR compliant and it remains to be seen whether the Hamburg watchdog will investigate the matter further or whether other regulators will scrutinize companies like Zoom in the coming months and years.
This willingness to enforce the rules could have a positive effect elsewhere in EU law. If countries begin to conclude that rules made in Brussels are actually having the right impact, they may be more willing to play fair.
EU sanctions or ‘infringement proceedings’ are a bit of a funny joke in Brussels, as the European Commission, the bloc’s executive, has to meet a long list of criteria before referring a country to the EU’s highest court. Cases often take several years to close.
By this time, most people have forgotten what the dispute was about, and in some cases, new rules have replaced the original set.