Scholar recommends making improvements to GDPR fines and corrective measures.
If regulators want to make a large company comply with rules that prohibit a course of action, making the action exceedingly expensive seems like a good solution.
The reality, at least for data protection regulation, is not so simple, according to doctoral research fellow Mona Naomi Lintvedt at the University of Oslo.
In a recent article, Lintvedt argues that an implicit assumption underlying the European Union’s General Data Protection Regulation (GDPR)—namely, that significant fines will guarantee a high level of compliance— is simply incorrect. Despite highly visible cases with high fines, the publicly available record shows high levels of noncompliance.
Lintvedt contends that, if the EU is to achieve greater GDPR compliance and live up to the law’s guiding principle of data protection as an individual privacy right, the GDPR needs to be improved. She argues that the EU should create a transparent mechanism for issuing fines, eliminate fines for public entities, and mandate uniform procedures for using non-monetary punishments.
The EU implemented the GDPR in 2018, and it remains one of the strictest data privacy laws in the world. The law continues Europe’s commitment to an individual right to privacy that dates as far back as the 1950 European Convention on Human Rights. The GDPR includes rules for collecting, storing, and processing personal data for anyone within the EU, regardless of where a company or organization engaging in such activity is located. The law also imposes significant fines and other retributive measures for failure to comply with its rules.
The European Commission specifically included high fines in the GDPR to improve on prior data regulations which were not adequately enforced. These high fines were meant to make entities “think twice” about noncompliance. The Commission even decided to increase the maximum fines to 20 million euros following the data privacy violations revealed by Edward Snowden in 2013. Lintvedt explains that the Commission had large U.S. technology corporations in mind when creating punishments for data privacy violations.
The resulting GDPR enforcement, however, has not met those expectations, Lintvedt notes.
There are, Lintvedt describes, a few specific problems with GDPR enforcement. First, when fines are issued, they are not consistent throughout the EU. The GDPR leaves punitive decisions to Data Protection Authorities (DPAs) within each EU country. An oversight body called the European Data Protection Board (EDPB) ensures that DPAs work together under the GDPR, but the EDPB only issues guidance and does not directly issue fines or other enforcement actions, notes Lintvedt. DPAs decide the appropriate punitive measure for a violation of the GDPR based on the law where the DPA is based.
By creating different punishments by geography, corporations might decide to move their operations to the EU country with the most forgiving laws. In fact, to avoid needing to comply with the GDPR, companies such as Facebook and Google have already moved some of their business from the EU to the United Kingdom following Brexit.
EU countries also disagree on how to calculate fines, such as whether to standardize fine amounts or base them on business income. Different countries also vary in terms of how heavily they fine different types of violations. This variation in fine amounts creates confusion on what GDPR compliance should be and does not send a clear message on exactly what behavior the GDPR prohibits, Lintvedt argues.
Fines also create perverse outcomes when issued to a public entity that violates the GDPR, Lintvedt explains. A Norwegian municipality, for example, was fined for indirectly revealing families’ addresses that had children attending a school in the area. The fines were paid with tax revenues, which punishes the same constituency victimized by the violation. Lintvedt argues that different enforcement measures, such as temporary bans, are more appropriate remedies for public organizations that violate the GDPR.
The EDPB creates further inconsistency, Lintvedt contends, in its decisions on which punitive actions by DPAs to publicly publish. The EDPB compiles DPA actions, but does not publish a comprehensive list. Lintvedt cautions that the lack of uniform guidance on what enforcement action to take, combined with the lack of transparency, has weakened any deterrent effect the GDPR aimed to achieve.
Lintvedt argues that public disclosure and transparency are essential to change the behavior of entities processing private data. Transparency, Lintvedt explains, demonstrates the consequences of violations and non-compliance of the GDPR. The EDPB also does not update the fines and actions it has disclosed if they are reversed or reduced by a subsequent court action, which only adds further confusion.
Transparency is one of the major tenets of the GDPR itself. Companies and organizations are required by the law to be transparent in how and why they process private data. Why then, Lintvedt asks, should the EDPB not also be required to be transparent about GDPR enforcement?
Although the GDPR has issues with its enforcement, it is still a landmark data privacy regulation. If the EDPB can issue controlling guidance to increase transparency, create uniform enforcement procedures, and eliminate fines for public entities, the GDPR will be the strong data protection its drafters intended it to be, argues Lintvedt. She concludes that only by strengthening the GDPR’s procedures can regulators hope to make potential violators “think twice.”