back to article EU've been naughty: GDPR has netted bloc €114m in fines since 2018

EU regulators have slapped businesses with an estimated €114m (£97.29m) in fines for data leakage or crappy practices since GDPR was introduced in May 2018, although bigger numbers are expected in future penalties. Regulators in France, Germany, and Austria reported the biggest fines so far, according to a report by law firm …

  1. Anonymous Coward
    Anonymous Coward

    Wouldn't it be nice if the UK had an effective regulator?

    ... but given Sajid Javid's recent 'no alignment' statement on Brexit - perhaps the UK will bin all things GDPR from 2021 ...

    Unless, of course, companies in the UK want to do business with the EU...

    1. Anonymous Coward
      Anonymous Coward

      Re: Wouldn't it be nice if the UK had an effective regulator?

      Bare in mind, that as GDPR has only be in force for a relatively short period of time, most of the ICO's GDPR cases are still waiting to be resolved one way or the other.

      We need to wait six months to a year to get a decent view of how the ICO is performing.

      1. A.P. Veening Silver badge

        Re: Wouldn't it be nice if the UK had an effective regulator?

        Bare in mind, that as GDPR has only be in force for a relatively short period of time, most of the ICO's GDPR cases are still waiting to be resolved one way or the other.

        I'd say nearly two years isn't that short.

        We need to wait six months to a year to get a decent view of how the ICO is performing.

        I'd say nearly two years should get a pretty decent view, adding another half to whole year won't change it much anymore.

        1. Anonymous Coward
          Anonymous Coward

          Re: Wouldn't it be nice if the UK had an effective regulator?

          The very latest case on the ICO's website (9/1/20) is about violations that happened in 2017. It takes several years for a complaint to go all the way through the system, and so far only one GDPR case has been fcompleted.

          It's not unusual for a court case (non-criminal) to last over a year, and that's without all the investigation etc. that has to go on before hand, so this isn't an unusually long period of time.

          Hence, if we wait six months, hopefully there should be the first crop of GDPR fines being levied, and we can get a better idea of how the enforcement is going.

          1. A.P. Veening Silver badge

            Re: Wouldn't it be nice if the UK had an effective regulator?

            Sloppy and slow, several other countries have already handled multiple cases.

    2. Captain Scarlet Silver badge

      Re: Wouldn't it be nice if the UK had an effective regulator?

      If it generates revenue for the government then I highly doubt they would bin it, just rename it and give it a new logo.

      1. AMBxx Silver badge

        Re: Wouldn't it be nice if the UK had an effective regulator?

        €114m doesn't sound like that much - how much has this cost from both the government's and business' perspectives?

        1. quxinot Silver badge

          Re: Wouldn't it be nice if the UK had an effective regulator?

          Bigger question. How much has been actually collected?

        2. khjohansen

          Re: Wouldn't it be nice if the UK had an effective regulator?

          It's not to make a profit (?) - it's about better business practices!

        3. Warm Braw Silver badge

          Re: Wouldn't it be nice if the UK had an effective regulator?

          In the BA case, El Reg reported that the ICO's total annual legal budget is around £2m, which won't last long if there are any substantial challenges to its rulings.

          The ICO is spread pretty thinly and is arguably starting from the wrong end - I would have thought that encouraging good practice and random auditing would be more effective than fining companies after a major incident has already occurred. However, we can't have a nanny state, can we, especially since we want to scrap all those costly regulations that deter businesses from making political donationsinvesting.

      2. Chris G Silver badge

        Re: Wouldn't it be nice if the UK had an effective regulator?

        New logo?

        The way that normally goes, they will need to collect a good £50Million just to pay for the Corporate Identity Consultants before they are able to come up with a new logo, then they will choose something that is almost the same as the old one just to provide a semblance of continuity.

    3. Doctor Syntax Silver badge

      Re: Wouldn't it be nice if the UK had an effective regulator?

      "companies in the UK want to do business with the EU"

      Who cares what companies think? "We" voted to leave. The fact that we (without the quotes) will depend on a functioning UK economy is neither here nor there although it might turn out to be a surprise to "us" when that's discovered.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wouldn't it be nice if the UK had an effective regulator?

        "We" don't need to trade with the EU. Not with all the trade we will do with African nations. (Apparently)

        Just don't mention visa waiver* travel.

        *"Visa free" travel if you're lying about travel requirements during an election or a referendum.

        1. streaky

          Re: Wouldn't it be nice if the UK had an effective regulator?

          If you can travel somewhere for 90 days by a simple application and paying a what was it again, 6 euros? fee every 3 years then maybe it effectively is visa-free travel and it might be time to stop moaning because nobody could put forward a positive compelling case to stay in the EU? (helps that there isn't one)

          No, oh well, in which case - to bastardise a line from Sorkin - they'll like us when we win.

          1. Richard 12 Silver badge

            Re: Wouldn't it be nice if the UK had an effective regulator?

            What exactly is your "positive compelling case" for leaving the EU?

            I mean specifically. What do YOU want from it?

            Why do you think that leaving the EU would give you it, do you now think you are (likely to be) getting that specific thing, and what do you think the cost of getting it will be?

            1. Anonymous Coward
              Anonymous Coward

              Re: Wouldn't it be nice if the UK had an effective regulator?

              >>>I mean specifically. What do YOU want from it?

              Perhaps White-cliffs-of-Dover priviledge?

          2. Anonymous Coward
            Anonymous Coward

            Re: Wouldn't it be nice if the UK had an effective regulator?

            >If you can travel somewhere for 90 days by a simple application and paying a what was it again, 6 euros? fee every 3 years then maybe it effectively is visa-free travel ...

            No. No it isn't. Not at all.

            Clearly you have no understanding of visas or suchlike. Priti, is that you?!

    4. streaky

      Re: Wouldn't it be nice if the UK had an effective regulator?

      The UK does have an effective and well-funded regulator. Is now a good time to talk about the RoI?

      1. Jedit Silver badge
        IT Angle

        "Is now a good time to talk about the RoI?"

        That depends. Are you talking about return on investment, or the Republic of Ireland?

        (The IT angle is, apparently, an unspecified technological solution in both cases.)

    5. Anonymous Coward
      Anonymous Coward

      Re: Wouldn't it be nice if the UK had an effective regulator?

      Of course "no alignment" can mean stricter regulation, but no-one seems to want to shout about that.

  2. Khaptain Silver badge

    "EU regulators have slapped businesses with an estimated €114m (£97.29m) in fines"

    I wonder how much they have actually managed to collect and at what cost, especially the Lawyers fees.....

    1. Woodnag

      I expect the BA fine to be quietly brushed under that tired old rug, 'forgotton about', and not collected...

    2. Captain Scarlet Silver badge

      Oh like most companies finned for spamming end up shutting up shop only to reappear at a later date.

      1. John Brown (no body) Silver badge

        We are sad to announce that British Airways has gone into liquidation and no longer holds any assets. Unfortunately, that means the GDPR fine cannot be paid.

        In other news, Brexit Airways would like announce it has acquired a huge number of assets at fire-sale prices and will commence operations immediately.

  3. FrogsAndChips Silver badge

    Subheading contradicts article

    Subheading: "France, Germany and Austria house the most offenders – survey"

    Article: "Regulators in France, Germany, and Austria reported the biggest fines so far" ; "The Netherlands reported the largest number of offenders, [...]. Germany came in second [...], and Britain came in third"

    1. John Brown (no body) Silver badge

      Re: Subheading contradicts article

      Not to mention that all the numbers prove is that some countries may have better funded detection and reporting and/or more swift processes to impose and collect fines.

  4. Anonymous Coward
    Anonymous Coward

    What would be more interesting is

    Totalling private company fines and public body fines separately.

    Fining the taxpayer for civil servant crimes is not a real punishment. Or disincentive.

  5. Anne-Lise Pasch

    Math!

    So, 114,000,000 / 160,000 means each *breach* has an average value of 700 euros *. Which means our personal data is still worth tuppence.

    ...

    About right.

    * about 400 euros if you discount the Google judgement, which wasn't really about GDPR.

    1. Persona Silver badge

      Re: Math!

      This does contrast quite sharply with the UK's ICO intention to fine British Airways £183m and hotel chain Marriott £99m.

  6. heyrick Silver badge

    France, Germany and Austria house the most offenders

    Not only does this not make sense with the article (as mentioned above), but if we take it on face value - do those three countries really have the most, or do they have people more willing to make a complaint because they know their regulator is more likely to actually do something?

    1. Mike 137 Bronze badge

      Re: France, Germany and Austria house the most offenders

      Not sure about France, but Germany and Austria have a track record of rigorous enforcement, even under the Directive, so it's likely that this affects the position, rather than it being merely due to them having "most offenders".

      Here in Blighty, the ICO seems to be concentrating on high profile data breaches and can be surprisingly tolerant of abuses of data subject rights that haven't resulted in data leakage. Here are a couple of examples:

      Under DPA 1998 I reported a business that issued "fitness for work" certificates for posting the certificates online for collection, entirely unprotected other than by a unique URL, but was told by the ICO that this was OK unless I could prove that unauthorised access had occurred. The case officer actually suggested I should attempt to do so to prove my point (thereby of course committing an offence under the Computer Misuse Act).

      More recently, I have been informed by a case officer (presumably representing the ICO officially) that it's OK for a data controller to conceal processing on the basis of "legitimate interest from a data subject. The actual decision was that "examples" of such processing are "sufficient".

      I'm not a lawyer, but it seems to me that as processing on the basis of legitimate interest confers on the data subject a right to object to the specific processing, merely providing "examples" denies the data subject the ability to object to processing that is not used as an "example".

      Taking such examples together with the appalling standard of almost all "privacy policies", we don't seem to be taking the GDPR very seriously, and of course it's possible that from February we could even dismantle our parallel compliance under our own legislation.

      1. Cynical Pie

        Re: France, Germany and Austria house the most offenders

        A key consideration for use of legitimate interests is does it prejudice the rights and freedoms of the individual.

        That the individual may not like it or object isn't necessarily enough to show it prejudices their rights or freedoms and so LI might still be applicable.

        That said with all things DP context is everything and what works for one situation may not work for another identical type of processing due to the wider circumstances.

      2. A.P. Veening Silver badge

        Re: France, Germany and Austria house the most offenders

        Not sure about France, but Germany and Austria have a track record of rigorous enforcement, even under the Directive, so it's likely that this affects the position, rather than it being merely due to them having "most offenders".

        And the Netherlands also have a pretty good track record with excellent registration systems.

      3. Anonymous Coward
        Anonymous Coward

        Re: France, Germany and Austria house the most offenders

        I made a complaint to the ICO about a government department ignoring (as in completely failing to respond to) a Subject Access Request. Their initial response was that the organisation hadn't broken the Data Protection Bill 2018. Requesting that the re-examine it, stating the organisation's responsibilities upon receiving the SAR resulted in a different decision...

    2. khjohansen

      Re: France, Germany and Austria house the most offenders

      ... They also house a lot of EU citizens/companies.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020