ZDNet.com, relying on research by Forrester Research, recently reported that “GDPR enforcement is on fire!” This is likely a foreshadowing of the prevalence of US privacy enforcement proceedings in the near future. Indeed, it appears that if the FTC and AG offices are not able to keep up, plaintiffs in the United States are more than happy to file lawsuits.
While the US still does not have a national privacy law, and nor do many states, unfair and deceptive practices law will likely fill in at least some of these gaps until additional statutes and regulations are passed. Moreover, the growing body of privacy laws, such as the CCPA, GDPR, and numerous federal privacy laws, will likely increasingly serve as “de facto” standards—even where these laws do not technically apply.
ZDNet.com, relying on research by Forrester Research, reported the following statistics regarding GDPR enforcement as of February 3, 2020:
- DPAs have levied 190 fines and penalties to date (GDPR went into effect in May 2018)
- Failures of data governance (rather than security breaches) have triggered the most fines and penalties. That is, the most penalties and fines have resulted from issues with data accuracy and quality, and the fairness of processing (such as whether firms collect and process more than the minimum amount of data necessary for a specific purpose).
- The biggest fines come not just from security breaches, but from the identification of “poor security arrangements,” including the lack of adequate authentication procedures, during investigations.
- Big fines have resulted from compromised data of a single user. For example, Spain’s data protection regulator fined two telco providers for issues with a single customer. One erroneously disclosed credentials of a third party to a customer, allowing the customer to access sensitive third-party data (resulting in a fine of 60K Euros) and the other processed a customer’s data without their consent (resulting in a fine of almost 40K Euros). A hospital in Germany was also fined 150K Euros for GDPR violations associated with the misuse of data of a single patient.
- Forrester expects that the next enforcement wave will come from failing to address individuals’ privacy rights—such as data access and deletion requests. For example, a German company that archived customer data in a way that did not allow for data deletion was fined 14.5 million Euros. Forrester also reported that while most of these enforcement actions have resulted from customer requests, there is also an increase in such requests from employees (with respect to delays/incomplete responses by employers to employee access requests).
- It is expected that another big upcoming enforcement area for GDPR is third-party (e.g., vendor) management and due diligence issues.