GDPR complaints stack up across the EU as regulators prepare to issue fines
Is it more bark than bite? What U.S. marketers can learn from how GDPR is unfolding abroad.
It’s almost five months since Europe’s General Data Protection Regulation (GDPR) went into effect. Although the initial buzz around the sweeping legislation has died down, we’ve seen momentum in the United States toward stricter state data privacy laws such as California’s Consumer Privacy Act (CCPA) as well as possible federal legislation.
More laws, mean more tools. OneTrust released OneTrust 4.0, an updated version of its main compliance platform. The new release includes upgraded modules and introduces Vendor Risk and Incident & Breach modules. The platform now provides intelligent visuals for data mapping, consent analytics, targeted data discovery and automated data subject requests, as well as a new customer portal. The updates include a Targeted Data Discovery tool, which provides a framework through which companies can integrate metadata into the platform and Global Readiness and Accountability functionality that integrates GDPR, CCPA and many other new privacy laws into a single assessment.
The system will draw from the company’s Privacypedia, a database of hundreds of global privacy regulations, research, guidance and templates.
Meanwhile, EU member states start to tally up GDPR complaints. Numbers have started rolling in from data protection authorities across Europe. For example, the U.K.’s Information Commissioner’s Office reported that complaints to the U.K. supervisory authority rose 160 percent to 6,281, compared to the same period last year.
And the French DPA CNIL reported that it has received 3,767 data protection complaints, showing a 64 percent increase compared to the same period last year. CNIL also reported that it has received 600 data breach notifications during the same period.
More bark than bite? As one of the first companies to be warned by a DPA, French startup Teemo might prove that regulators are more interested in keeping companies in line than collecting fees. (Companies found in breach of GDPR can be assessed fees up to €20 million, or 4 percent of their annual revenue, whichever is higher.) In July, France’s CNIL issued a GDPR warning to Teemo, saying that they did not collect the proper consent for processing of localization data for retargeting and held data longer than it needed.
But once Teemo brought itself into compliance, the CNIL considered the issue closed.
At least one enforcement action has occurred. This summer, the ICO charged Canadian analytics firm AggregateIQ Data Services with a breach of GDPR under articles 5 and 6, for “processing personal data in a way that data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for processing.” The Enforcement Notice requires AIQ to “cease processing any personal data of U.K. or EU citizens obtained from U.K. political organizations or otherwise for the purposes of data analytics, political campaigning, or any other advertising purposes.” Fees can be assessed for a failure to comply.
Brian Kane, COO of consent platform Sourcepoint, says we haven’t seen the last of these regulatory warnings.
“While compliance with GDPR requires time and effort as companies figure out the right strategy to implement, it can also be seen as an opportunity to enhance user experience,” Kane said. “Teemo, to its credit, has worked hard to ensure it is operating in compliance with the GDPR, and will likely end up in a stronger position as a result.”
Lessons for U.S. marketers. Reuters reported this week that EU regulators expect to issue fines or temporary bans on companies that breach the law by the end of this year.
“Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum,” European Data Protection Supervisor Giovanni Buttarelli told Reuters.
Andrew Clearwater, director of privacy at OneTrust said he expects to continue to see a steady stream of complaints and breaches.
“The number of complaints from individuals in the EU has exploded since the GDPR took effect last May and we are already seeing DPAs take action from orders to stop processing fines that are unprecedentedly high,” Clearwater said. “Those actions target global companies, but also small start-ups. Data breaches will keep being revealed.”
“To avoid GDPR sanctions, which are now reality, companies around the world need to focus even more on their ability to demonstrate their privacy obligations. This is where privacy-specific technology tools become crucial for internal compliance, not only to automate processes and provide the best privacy user experience, but also to keep proper records in one central place in case of an enforcement, whether from regulators or directly from data subjects,” Clearwater said.