Fines issued for GDPR non-compliance increased sevenfold from 2020 to 2021, analysis shows
In its latest annual GDPR summary, international law firm DLA Piper focuses attention in two areas: fines imposed and the evolving effect of the Schrems II ruling of 2020. Fines are increasing and Schrems II issues are becoming more complex.
Fines issued for GDPR non-compliance increased significantly (sevenfold) in 2021, from €158.5 million (approximately $180 million) in 2020 to just under €1.1 billion (approximately $1.25 billion) in 2021. The largest fines came from Luxembourg against Amazon (€746 million / $846 million), and Ireland against WhatsApp (€225 million / $255 million). Both are currently being appealed.
The WhatsApp fine is interesting. The original fine proposed by the Irish Data Protection Commission (DPC) was for €30 million to €50 million. However, other European regulators objected, and the European Data Processing Board (EDPB) adjudicated – instructing Ireland to increase the fine by 350%.
This is exactly the process activist Max Schrems is hoping for (actually, expecting) in his case in Ireland against Facebook. The Irish DPC has stated that Facebook is not contravening GDPR. Schrems believes that the other European regulators will object, and the EDPB will overturn the Irish decision.
The process illustrates the GDPR ‘one-stop shop’ principle in action. It is designed to prevent companies looking for adjudication in countries with a history of lenient fines. One ruling covers the entire European Union, but other regulators can object to the ruling.
The DLA Piper report (PDF) also highlights what appears to be a divergence of approach between different European regulators. Some countries prefer a smaller number of large fines, while others seem to prefer a large number of small fines. This may, however, be influenced by the European headquarters location of the tech giants likely to attract the larger fines: WhatsApp, owned by Facebook, is headquartered in Ireland, while Amazon is headquartered in Luxembourg.
The report suggests there will be “significantly more complaints, investigations and enforcement activity this year in relation to cookies and similar tracking technologies.” It notes that the My Privacy is None of Your Business (NOYB) organization has issued 500 complaints to organizations for alleged breaches of cookie requirements, threatening formal complaints if the alleged infringement isn’t remedied.
Much of the DLA Piper report examines the growing effect of the Schrems II ruling of 2020. “The decision of Europe’s highest court in Schrems II in July 2020 was seismic,” notes the report. “The CJEU invalidated the Privacy Shield regime and left standard contractual clauses on life support.”
Schrems II applies to data transfers from Europe to any third-party country. In reality, it will primarily affect data transfers between the EU and the U.S. involving the large U.S. tech giants (Facebook, Google, Amazon, Microsoft etcetera).
The heart of the ruling is simple to understand. GDPR states that European personal data may not be exported to any country that does not have GDPR equivalent privacy rules. The U.S. does not have equivalent security – but has been considered a special case because of the volume of data transfers between the two blocs. Hence the Privacy Shield fudge to legalize transfers.
The Schrems II ruling invalidated the Privacy Shield. The basis is that U.S. government access to European personal data via FISA 720 is a fundamental contravention of GDPR. The same principal applies to standard contractual clauses (SCCs) because it is difficult to imagine how ‘contracts’ with European companies can prevent a lawful FISA 720 U.S. demand for access.
Technical measures to protect the data are still a possibility, but difficult in practice. Encryption could prevent U.S. government access, but only if the decryption keys cannot also be demanded by the government. This would require the company to have no access to the keys; but this would mean that without its own access it would not be able to process the data, and there would be little value to it.
The most obvious solution would be European localization of data – that is, for data collectors to keep the data on servers within the EU. However, this is also now questionable. In March 2021, a French court rejected a claim against the collection of COVID-19 data on an EU-hosted server that ultimately belonged to a U.S. company. The court ruled that in this case there were adequate provisions to protect the data.
Significantly, however, it also added that U.S. extra-territorial access to data held by U.S. companies is relevant to GDPR. “The ruling,” says DLA Piper, “implies that merely localizing and ring-fencing personal data in Europe may not be sufficient where the service provider is subject to extra-territorial laws that may result in access to personal data by public authorities in third countries; additional safeguards may be necessary to prevent access.”
Industry is still largely in a ‘wait and see’ phase over Schrems II. Neither EU governments nor the U.S. government wish to damage trade between the two blocs, and are both waiting to see how the problem plays out in the courts. Noticeably, there have been no Schrems II fines yet issued.
This cannot continue indefinitely. One month after the Schrems II judgment, Max Schrems raised 101 Schrems II-related complaints via the NOYB organization. These are now playing out in various courts. The Schrems versus Facebook case in Ireland is one example. The Google Analytics decision by the Austrian regulator (probably arriving too late for inclusion in DLA Piper’s report) is a second. More will follow – and there is no easy solution for business.
“Meeting the requirements of Schrems II and the EDPB recommendations is a challenge even for the most sophisticated and well-resourced organizations,” says the report, “and is beyond the means of many small and medium-sized enterprises.”
At a time of rising GDPR fines, Schrems II puts EU/U.S. data transfers between a rock (GDPR) and a hard place (FISA 720). GDPR is unlikely to be amended; FISA 720 is unlikely to be rescinded. For now, it is difficult to see any solution outside of new technical developments and business practices.