When the EU implemented its General Data Protection Regulation four years ago this week, it was heralded as a groundbreaking piece of legislation aimed at taking back control of citizens’ privacy rights in the face of Big Tech.
Four years and more than €1.6bn in fines later, it is worth asking what impact the landmark regulation has really had on privacy and data protection in Europe.
Experts argue that the true potential of GDPR has still yet to be realised, and that structural issues in the way it is enforced remain unsolved.
GDPR fines since 2018: €1.6bn and counting
European data protection authorities have issued a combined €1.6bn in fines for breaches of GDPR since the regulation was implemented in 2018. Almost half of this total relates to a single payment: a €740m fine issued to Amazon by Luxembourg’s data protection watchdog in July last year.
The fine was a result of a collective complaint filed by 10,000 people who argued that Amazon’s targeted advertising system used their personal data without their consent. The e-commerce giant is in the process of appealing the ruling and recently managed to stop daily payments of €660,000 after a Luxembourg judge ruled that the data protection authority’s orders were not “sufficiently clear, precise and without uncertainty”, according to Bloomberg.
Other sizeable GDPR fines include a €50m penalty issued to Google by France's data protection regulator for failing to make its consumer data processing statements sufficiently accessible to billions of users. The French authorities also ruled that Google failed to seek the consent of its users to use their data for targeted advertising campaigns. The fine was upheld despite the company’s attempts to appeal the ruling.
In 2020, the UK's Information Commissioner's Office fined British Airways £20m after the personal data of 40,000 customers was breached in a cyberattack. The ICO ruled that the airline had failed to take the necessary precautions to protect its customer data. The regulator had initially threatened to fine BA £187m, but the airline successfully challenged the method it had used to calculate this figure.
The GDPR violation for which the highest number of GDPR fines have been issued to date is processing data with insufficient legal basis for doing so, according to data collected by law firm CMS. This relates to Article 6 of the GDPR, which includes the requirement for an individual's explicit consent before an organisation can process their personal data.
Which countries have issued the most GDPR fines?
Spain's data protection authority, the AEPD, has meted out a total of 414 GDPR fines since 2018, the highest number of any European regulator. However, Italy has issued the largest total value of fines, having issued penalties totalling €137,339,596, according to Enforcement Tracker’s data.
The high number of penalties in Spain can be explained by an established culture of enforcing data privacy rights even prior to GDPR and a “fully independent” regulator, according to Estelle Masse, global data protection lead at Access Now, a leading digital rights charity.
Since 2018, the AEPD has pursued targets ranging from telecommunications giants to individual citizens for varying levels of data privacy violations. Earlier this month, it fined a private individual €2,000 for sharing a video on WhatsApp that showed a violent attack against the complainant, without getting their prior consent, according to Privacy Affairs.
On the same day, the AEPD fined another private individual €500 for installing surveillance cameras on their property that managed to record other neighbouring properties. The AEPD determined that this violated the principle of “data minimisation”, where the collection of personal data has to be “directly relevant and necessary to accomplish a specified purpose”.
Meanwhile, the AEPD has notably fined Vodafone’s Spanish subsidiary a total of 58 times since 2018. In February earlier this year, the Spanish telecommunications giant was fined €3.94m after several customers lodged complaints that their SIM cards were replicated and used to carry out fraudulent bank transfers. The AEPD decided that Vodafone had failed to implement “appropriate security measures” to prevent the fraudulent replication of SIM cards.
And in March 2021, the company was fined €8.15m for repeated “aggressive telemarketing tactics” despite 162 complaints against such practices. In its decision notice, the AEPD said that Vodafone had already received a fine or warning more than 50 times between January 2018 and February 2020.
This reveals the limitations of GDPR fines as a way to force companies to change their ways, Masse observes. “Something is clearly not working if you have to continuously fine the same company for the same kinds of infractions,” says Masse. “So there is a potential that some of the fines given by the Spanish DPA are not enough of a deterrent for Vodafone.”
“It is unclear why the DPA would repeatedly issue fines to Vodafone instead of opening a broad investigation into the company’s data practices, which appear to be problematic,” she added.
Structural issues holding back GDPR’s potential
Data protection in Europe is stronger than it was in 2018, Masse argues, but much more needs to be done if the regulation is to reach its full potential. “There is indeed an increased awareness about privacy in Europe and elsewhere around the world, but we’re not there yet on really regaining our rights in terms of controlling our information,” she says.
“I’d say that we’re still in the first phase of better understanding the online ecosystem but the full potential of GDPR is far from being achieved, largely because the enforcement is lagging behind," Masse says.
Stefano Rosseti, a privacy lawyer at legal services provider NOYB, believes the lack of strict deadlines for data protection authorities to adequately respond to GDPR complaints from citizens and organisations is a significant hindrance to its impact. The Irish data protection authorities recently settled a case with NOYB over a “gross delay” in two cases initially filed by the organisation almost four years ago.
“If you don’t have clear deadlines and procedural rules, you have a paradoxical situation of granting people rights but not really putting them into practice,” says Rossetti. “And that’s really bad for the rule of law and what we believe citizenship to be, because if we’re supposed to have rights and freedoms, we should also be able to defend ourselves against arbitrary actions of authorities.”
“We’re losing time and these information oligopolies or monopolies are getting bigger and bigger,” he adds. “The only way to fight that is to use our rights and control these asymmetries, because if they are not enforced, then it’s only on paper and that doesn’t work for anyone.”
Another issue with GDPR is the lack of resources that national data protection authorities have to swiftly respond to complaints and enforce privacy violations, adds Masse. Increasing the resources of national authorities would also level the playing field between them and the outsized budgets of Big Tech’s legal departments. But progress on this front continues to be painfully slow, she says.
“If we are able to pass such far-reaching legislation, we should have the same political will to translate that into enforcement,” says Masse. “There is a huge wave of regulation coming out of Europe with the Digital Services Act and the AI Act, but maybe we should pause these ideas at the moment and focus on enforcing what we have.”
“I worry that we’ll enter a cycle where we would need to revisit this conversation every three to five years because the mechanisms aren’t working. You can legislate as much as you want but if you’re not enforcing what you adopt in Brussels, then there’s no point. The time for enforcement is now.”