25 May 2019 marks the one-year anniversary of the much-discussed General Data Protection Regulation (GDPR) entering into force. Since the Dutch Data Protection Authority (Dutch DPA) also recently published its 2018 annual report, now is a good time to take stock of it all. What has one year of GDPR yielded? Have high fines been imposed and, if so, for what type of violations? And what do you need to watch out for in 2019?
Annual report 2018
As shown in the annual report, 2018 was a hectic year for the DPA. Not only did the GDPR come into force, the DPA also hired many new employees along with setting-up and implementing a new organisational structure.
In the report, the DPA indicates that in 2018 it deliberately chose to focus on promoting compliance with the privacy regulations. Their approach entailed investing heavily in providing information and advice, on the one hand, and seeking to stop any violations instead of imposing sanctions after the fact, on the other hand.
Some headline figures for 2018:
- The DPA received over 11,000 complaints and nearly 21,000 data breach notifications.
- 720 complaints and 298 data breach notifications were dealt with through an intervention, such as a letter or discussion in which the DPA explained the privacy regulations.
- The DPA completed 16 investigations and started 17 enforcement procedures, which resulted in sanctions being imposed on the likes of Uber, the Tax and Customs Administration and the Employee Insurance Agency (UWV)*, to name a few. Uber was fined EUR 600,000 for failing to notify a data breach promptly. The Employee Insurance Agency (UWV) was fined for failing to equip the secure access to its employer portal with multifactor authentication. The National Police were ordered to pay a fine for the inadequate security of an IT system. InsingerGilissen Bankiers were fined EUR 48,000 for not complying with a personal data access request. Finally, the Tax and Customs Administration was prohibited from using the Citizen Service Number in the VAT number as from 1 January 2020.
A comparison of these figures with those of previous years, shows an explosive increase in the number of data breach notifications since this obligation was introduced in 2016. However, enforcement and sanctions (including fines) are increasing slowly.
|Data breach notifications||–||–||5,700||10,009||20,881|
Elsewhere in Europe
What are regulators doing elsewhere in Europe? Several Member States have already seen the first fines imposed for violations of the GDPR, examples include:
- In March 2019, the Polish regulator fined a Polish company EUR 220,000 for breach of the obligation to provide information. The company had created an extensive database of personal data that it had collected from public sources, but without informing the data subjects.
- In January 2019, the French regulator fined Google EUR 50,000,000 for lack of transparency, breach of the obligation to provide information and obtaining consent unlawfully.
- In February 2019, the Maltese regulator fined the Maltese Land Registry EUR 5,000 for failing to properly secure an online portal.
- In September 2018, the German regulator (more specifically the one from Baden-Württemberg) fined a German social network EUR 20,000. The social network had reported a data breach in which users’ passwords and e-mail addresses had been leaked. Follow-up investigations by the regulator revealed that password encryption had not been used, thus violating the obligation to take appropriate security measures.
- In September 2018, the Austrian regulator imposed a fine of EUR 5,280 on a betting shop that used a video surveillance system for which there was no legal basis and that stored the recordings for too long.
What does 2019 have in store?
In its annual report, the DPA explicitly states that in 2019 the focus will shift from information to enforcement. Enforcement will be stepped up in 2019. While the DPA currently still often focuses on ending any (possible) violation when dealing with a complaint, 2019 will see it initiating investigations and imposing sanctions more often. The DPA’s stated areas of focus for 2019 include: i) security measures and the legal bases for processing personal data in the healthcare sector, ii) unreported data breaches and iii) trade in personal data.
*The infringements often date from the pre-GDPR era and are therefore assessed and sanctioned according to the Personal Data Protection Act and not the GDPR.