Lessons from GDPR fines issued thus far
Regulators across Europe are interested not just in the activities of the larger players, but also the hows and whys of certain data breaches, says one partner.
Speaking recently on The Corporate Counsel Show about the year that has been since the implementation of the General Data Protection Regulation in Europe, Holman Webb partner Tal Williams (pictured) said there have been about 200,000 complaints lodged with the various individual national regulators across the continent.
“The matters that have been addressed that have been publicised, probably not surprisingly, are the big ones. [People are probably] aware of Google’s fine in France, not that long ago. It was a €50 million fine, [which was] interesting for two reasons,” he said.
“Of all the fines that were issued, that makes up around 97 per cent. In other words, there’s a total of about €56 million fines that have been issued, €50 million of which was on Google. And, so, you can see that the authorities are focusing on the big, high-named brands and really making a point that this is important to everybody.”
As a result, Mr Williams surmised, the new regulatory regime is relevant to big and small players across the board.
“Indeed, there are inquiries already going on still. Facebook is under investigation. Apple is under investigation, LinkedIn is under investigation, Twitter is under investigation, Instagram is under investigation, and WhatsApp are all being considered by various regulators in those countries to determine whether or not their privacy requirements comply with the new obligations,” he explained.
“[Regulators] very much will be looking strongly at things. But it’s not just those people. So, one of the more recent cases — and I suppose this is telling for Australia, because this is an obligation of ours — is you only keep data for as long as it’s necessary to keep that data. The Lithuanian regulator has issued a €61,000 fine for somebody who, amongst other things, kept data that should have been kept for 10 minutes, kept it for 216 days.
“That was found to be a breach. Why was it that you needed it for more than 10 minutes? Why was it still on your systems for 216 days? That is something they took into account.
“Similarly, they, the way they managed their breach, was considered inappropriate. And indeed, along those lines as well, there was another party in Italy who did breach, did notify, but then when they notified the affected people, they simply said, ‘You should change your passwords, because there’s been unusual activity on our server’. That was it. And that was found to be a breach as well, because they didn’t give their people whose data had been affected, didn’t give them sufficient information. Didn’t really give the importance or import the importance that attached to it and was found to be a breach as well.”
Mr Williams concluded: “So, the cases, they’re focusing on the big picture, but they are relevant to the small picture.”
In the same episode, Mr Williams said that the GDPR legislation is “pretty similar” to Australia’s existing privacy laws, which — save for some differences and extensions — means that in-house counsel in Australia have been well placed, relative to other jurisdictions, to navigate the new regulations for their respective businesses.
To listen to Jerome's full conversation with Tal Williams, click below: