Violation of GDPR is punished more actively - fresh fines and the impact of regulations outside the EU
We tell who the regulators punished, how and what it can affect.
/ photo Marco Verch CC BY
GDPR entered into force over a year ago. During this time, the European Commission issued almost a hundred fines - the total amount exceeded tens of millions of euros. We talked about some of them last time .
Today we continue the topic - we are talking about fresh “letters of happiness”, and we are discussing the impact that the General Data Protection Regulation has on regulation in other countries.
New fines
Interestingly, one of the freshest was written out by IDdesign, a company selling furniture. The organization violated the requirement of the fifth article of GDPR . It says that it is possible to store users' personal data no longer than the processing goals require. IDdesign did not delete 385 thousand customers in a timely manner. This feature was not implemented in the company's new CRM system. As a result, the furniture store received the largest fine that the Danish regulator wrote out since the entry of the GDPR into force - 200 thousand euros.
MisterTango payment service was punished for a similar violation in Lithuania. The company did not delete the personal data of customers when the need for their processing disappeared. Plus, the company’s employees did not inform the regulator about last year’s incident, when information about 9 thousand payment transactions accidentally appeared in the public domain. MisterTango ordered to pay 61 thousand euros.
In Germany, the transport company Kolibri Image received a fine. She was ordered to pay 5 thousand euros for a violation associated with an error in the preparation of documentation. Another fine of 2 thousand euros was issuedprivate person. The user sent an email to a large number of recipients, setting its type as CC (copy), and not BCC (blind carbon copy). As a result, other recipients saw the email address. This situation was regarded as a leak of personal data.
By the way, a similar violation was recorded in the UK a few years earlier. Only in this case, a fine (in the amount of 180 thousand pounds) was received by the clinic for HIV patients. Then the fine was issued in accordance with the Data Protection Directive, which was replaced by the GDPR. It is believed that with a GDPR organization would have to write a check for a much larger amount.
Is GDPR Effective
Representatives of the European Commission believe that over the past year, GDPR has proven its effectiveness. According to them, the regulations helped to draw the attention of users to the problem of data security. For example, the number of applications registered by the British regulator has almost doubled over the past year - from 21 thousand to 41 thousand.
But in the IT industry, there is an opinion that the GDPR just created another market for law firms and consultants. According to Bjørn Stormorken, CFO of the Swedish social platform Idka AB, the main goal companies are pursuing in the new environment is not data security. This is the desire to meet the requirements of the GDPR with minimal cost.
Some regulators are in no hurry to punish violators. About ten countries of the European Union did not write a single fine on GDPR. Among them are: Belgium, Croatia, Czech Republic, Finland, Spain, etc. Some of the states limited themselves to relatively small sanctions. In Latvia, the maximum recovery to date is 2 thousand euros, and in Bulgaria - 5 thousand.
Although experts say that in the future we can expect a sharp increase in the number of fines and their sizes. Already, Ireland is studying the affairs of several large American IT companies. Probably, positive decisions will be made on them.
Impact of GDPR outside the EU
Many states have followed in the footsteps of the GDPR, having worked out their data protection laws. Last year, a bill was introduced in India. The authors say that the document was prepared taking into account the peculiarities of IT regulation in the country, but foreign experience was also introduced. Another example is the CCPA, which was approved in California. We talked about these two bills in our blog - here and here .
/ photo Alexander Gerst CC BY-SA A
law similar to the GDPR decided to introduce China - its final version was presented earlier this year. The authors of the law themselves say that it was created “based on” the GDPR. Its goal is to give the people of China more control over their personal data.
Chinese regulators have already begun to assess the "extent of the problem." Since January, they have been checking popular smartphone apps and see if they collect excess user information. Checks concerned food delivery services, taxis and navigators.
Some believe that the new law will lead to a common denominator of 200 other regulations related to cybersecurity. However, Professor Qi Aimic of Chongqing University nevertheless noted that the new bill should not copy the GDPR, since China has more Internet users and one of the most developed digital economies in the world.
Time will tell how the Chinese bill will manifest itself, and what impact it will have on the world community. A law very similar to Chinese has already been prepared in Vietnam. And in Tanzania, they work closely with Chinese lawmakers in charge of cyberspace.
What are we writing about in our Telegram channel:
- What you need to know about PCI DSS: talking about the requirements of the standard
- How to Get PCI DSS Certified
Other materials on PD regulation in our blog:
- Year in action: whom and for what were punished by GDPR
- GDPR effect: how the new regulation has affected the IT ecosystem