Ridiculously low ceilings on administrative fines hindered the effectiveness of EU data protection law for over twenty years. US tech giants may have seen these fines as a cost of doing business. Now, over two years after the commencement of the European Union’s widely heralded General Data Protection Regulation (GDPR), the anticipated billion-euro sanctions of EU Data Protection Authorities, or ‘DPAs’, which were to have changed the paradigm, have yet to be issued.
Newspaper tribunes and Twitter posts by activists, policymakers and consumers evidence a sense of unfulfilled expectations. DPA action has not supported the theoretical basis for GDPR sanctions—that of deterrence. However, the experience to date and reactions to it inspire recommendations for DPAs and companies alike.
In our working paper, EU General Data Protection Regulation Sanctions in Theory and in Practice, forthcoming in Volume 37 of the Santa Clara High Technology Law Journal later in 2020, we explore the theoretical bases for GDPR sanctions and test the reality of DPA action against those bases. We use an analysis of the various functions of sanctions (confiscation, retribution, incapacitation etc) to determine that their main objective in the GDPR context is to act as a deterrent, inciting compliance.
To achieve deterrence, sanctions must be severe enough to dissuade. This has not been the case under the GDPR as shown through an examination of actual amount of the sanctions, which is paradoxical, given the substantial increase in the potential maximum fines under the GDPR. Sanctions prior to the GDPR, with certain exceptions, were generally capped at amounts under €1 million (eg £500,000 in the UK, €100,000 in Ireland, €300,000 in Germany and €105,000 in Sweden).
Since the GDPR has applied, sanctions have ranged from €28 for Google Ireland Limited in Hungary to €50 million for Google Inc in France, far below the potential maximum fine of 4% of turnover, or approximately €5.74 billion for Google Inc. based on 2019 turnover. While the highest sanctions under the GDPR have been substantially greater than those assessed under the prior legislation, they have been far from the maximum fines allowed under the GDPR.
Nonetheless, this failure of DPAs, especially the Irish DPA responsible for overseeing most of the US Tech Giants, has not gone unnoticed, as shown by EU institutional reports on the GDPR’s first two years. Indeed, increased funding of DPAs and greater use of cooperation and consistency mechanisms are called for, highlighting the DPAs’ current lack of means. Here, we underscore the fact that, in the area of data protection, there has been perhaps too much reliance on national regulators whereas in other fields (banking regulation, credit rating agencies etc), the European Union has tended to move toward centralization of enforcement.
Despite these short-fallings, the GDPR’s beefing-up of the enforcement toolbox has allowed for actions by non-profit organizations mandated by individuals (such as La Quadrature du Net that took action against tech giants after the GDPR came into force), making it easier for individuals to bring legal proceedings against violators in the future, and an EU Directive on representative actions for the protection of consumer collective interests is in the legislative pipeline.
On the side of businesses, there has been a lack of understanding of certain key provisions of the GDPR and, as compliance theorists tell us, certain firms may be overly conservative and tend to over-comply out of too great of a fear of sanction. This seems to be the case with the GDPR’s provisions regarding data breach notifications, where unnecessary notifications have overtaxed DPAs. The one-stop-shop mechanism, which is admittedly complex, also created misunderstanding.
This mechanism allows the DPA of the main establishment in the European Union of a non-EU company to become the lead supervisory authority in procedures involving that company, which potentially could lead to companies’ forum-shopping on this basis. However, there is also a requirement that the main establishment has decision-making power with respect to the data processing to which the procedure relates. Failure to consider the latter requirement could result in companies selecting main establishments in countries where there is not such decision-making power, and thereby halt attempts at forum-shopping for a lead supervisory authority for certain processing. One example of this culminated in the French DPA (CNIL)’s largest fine so far, imposed on Google, whereas the latter argued that the Irish DPA was its lead supervisory authority.
As we explain in our paper, a lack of GDPR enforcement carries risks. Not only does it undercut the deterrent effect of the GDPR, but it also provides a tenuous basis for risk assessment by companies. While the GDPR’s first two years involved a sort of grace period when DPAs focused on educating companies and spent time painfully investigating complaints to litigation-proof their cases, some companies model their risk assessment of regulation based on enforcement histories. If there is a push for greater enforcement, which EU institutional reports would tend to foreshadow, the basis for companies’ models will be inaccurate. Furthermore, such dependence on risk evaluation ignores potential benefits to firms of increased trust and efficiency involved with expanding compliance to adopt a higher data protection compliance standard applied to customers worldwide.
Thus, we argue, not only should DPAs sanction offenders, but DPAs should sanction them severely when justified, establishing the necessary deterrence effect for EU data protection law. Moreover, DPA’s communication should in many cases be modified to stop downplaying sanctions: such communication is counterproductive to the desired effect of sanctions. Companies, on the other hand, should take efforts to understand fully the GDPR, and embrace compliance, leaving behind data protection forum-shopping as a potentially ineffective action. Furthermore, the typical securities lawyer warning that, ‘past performance is no guarantee of future results’, may be a forewarning to companies using past sanctions to create their compliance risk-assessment models that the results may not be accurate for the future.
Gregory Voss is an Associate Professor in the Human Resources Management & Business Law Department at TBS Business School.
Hugues Bouthinon-Dumas is an Associate Professor in the Public and Private Policy Department at ESSEC Business School.
This article originally appeared on the Oxford Business Law Blog (OBLB) and is reproduced with permission and thanks.