Thursday 17 October 2019

Adrian Weckler: 'One year on from GDPR, when will we start to see big fines dished out?'

Powers: Data Protection Commissioner Helen Dixon can impose huge fines. Picture: Collins
Powers: Data Protection Commissioner Helen Dixon can impose huge fines. Picture: Collins
Adrian Weckler

Adrian Weckler

Happy first birthday, GDPR. Across Ireland and Europe, those four capital letters have seared themselves into our consciousness.

For some they mean protection against tech bullies. For others, they represent red tape. For most of us, they have meant confusion at one point or another as to what sort of personal information we are, or are not, allowed to keep about friends, colleagues or customers.

So what is the scorecard for the General Data Protection Regulation (GDPR), Europe's powerful privacy law? Has it levelled the playing field for citizens against data-snooping social networks and unscrupulous marketers? Or is it yet to see any significant manners put on would-be offenders?

Please log in or register with for free access to this article.

Log In

While opinions differ on the true depth of its impact, it has certainly had an effect. According to the European Commission, there has been a jump in data breach notifications (to 89,271) across the EU since the GDPR was enacted.

From tech firms noticing that some customer account passwords weren't encrypted to civil servants losing laptops in taxis that have citizens' information on them, organisations now know that if they botch something, silence and secrecy is no longer an option. They must report it to their local data protection regulator.

On the other hand, we have not yet seen a wave of substantial fines or penalties under GDPR.

In total, less than €60m in sanctions under GDPR have been doled out, with the bulk of that resulting from one French fine, against Google.

So is it turning out to be toothless? No, say officials from the Irish Data Protection Commissioner's office, the agency with most responsibility for regulating the world's biggest tech giants in Europe.

Since last May, it has opened 18 statutory inquiries under GDPR into tech multinationals based in Dublin.

Of these, 11 are into one company - Facebook - and its subsidiaries, Instagram and WhatsApp.

Just this week, the watchdog opened a fresh inquiry into Google over concerns that its personalised online advertising system may not fully comply with GDPR privacy rules.

But even with so many open investigations, there have been no verdicts yet. These, Commissioner Helen Dixon says, will start to come later this summer.

Potentially, these penalties could be very high. Under the European legislation, Ms Dixon has the power to slap fines of up to €20m or 4pc of annual turnover on a company.

That latter limit conjures up some eye-watering sums. Google, for example, pulled in €112bn in revenue last year.

Few analysts believe that anything but the worst, most cynical, abuse of data privacy might result in a fine of €4bn for Google from the Irish DPC, but US tech giants know European bodies, in general, mean business.

Google itself got a €1.5bn fine two months ago from the European Commission for a breach of competition law, bringing to a staggering €8.3bn European institutions have fined the search giant in the last three years.

As such, all eyes will now be on Ms Dixon's office in the coming months to see what level of penalty, if any arise, will accrue in the case of culpability.

Nevertheless, there has been a lot of confusion and misinformation about the GDPR. Up and down the land, small businesses and community organisations have struggled to understand what they may, or may not, be allowed do.

Last month, the DPC had to issue guidance to schools and parishes clarifying that taking a phone photo of a communion, confirmation or school sports event was not "against the rules of GDPR".

The missive came amid reports of bishops, teachers and other community leaders using the EU privacy law as a warning to parents seeking to snap their child on a special occasion.

However, Ms Dixon has rejected an argument sometimes put forward by small business organisations that the GDPR has made it smoother for the biggest corporations, with their compliance teams, but harder for small outfits and start-ups that aren't as well resourced with regulatory experts.

Irish Independent

Today's news headlines, directly to your inbox every morning.

Don't Miss