Let's talk Data Protection Fines | Risk Advisory | Deloitte Netherlands


Let’s Talk Data Protection Fines

Explore how authorities differ a lot in enforcing the GDPR

The GDPR is one of the latest and most prominent examples of harmonized laws lacking a somewhat harmonized enforcement landscape. Indeed, while the law is the same in all 27 Member States, the enforcement priorities can vary significantly by country and over time. Find out more on these enforcement strategies here!

With the enactment of the GDPR in 2018, data protection topics have gained great momentum within organizations in Europe. Similarly, European Data Protection Authorities (DPAs) are becoming more active in enforcing non-compliance with data protection legislation, especially through fines. However, these DPAs have very different focus areas when it comes to imposing fines on organizations, and some are much more active and/or visible than others. In this blog, we highlight some of these differences and provide insights on who or what may be next on these authorities’ radar…

GDPR, a regulation with teeth

When the GDPR was designed, it was given sharp teeth. With one for each jurisdiction, independent DPAs – which are tasked with monitoring and enforcing GDPR compliance – are granted the power to fine organizations that do not comply with the GDPR’s requirements. Indeed, these fines can really hurt as they can run up to 4% of the annual revenue of an organization, or €20 million, whichever is higher. This means that DPAs have the power to issue some of the harshest penalties for breaches of data protection legislation in the world. The Luxembourg DPA currently takes the crown for reporting the highest fine: €747 million.

European DPAs have different focus areas

European DPAs are generally not equipped to investigate every organization operating in their territories, meaning they need to set priorities. DPAs sometimes publish their priorities in their enforcement strategies, and we have seen that these priorities generally differ for each country. Below, we have highlighted how several large or otherwise interesting European DPAs have set their priorities. Operating in one or more of these countries? Be sure to pay attention to these topics and – even though it's recommended to keep an extra eye out for them – working towards becoming compliant is by itself always a good idea.

  • Spanish DPA: The Spanish DPA is the most active finer of all DPAs in Europe. In its latest annual report, the DPA states it wants to drive companies to become compliant without using financial penalties. At the same time, the number of fines it issued in 2021 actually increased by almost 50% compared to 2020. A priority target for this DPA is the telecommunications sector. However, the highest fines went to internet services operators and social networks. Its most frequent reasoning for imposing fines is because organizations lack a sufficient legal basis for processing.
  • Italian DPA: The Italian DPA is also very active in its investigations and fining of companies, being in second place when it comes to the amount of published data protection fines in Europe. It usually starts investigations as a follow-up to formal complaints but is also known to start investigations on its own initiative. The Italian DPA has prioritized issues regarding the use of artificial intelligence, monetization of personal data, acquisition of (personal) data using smartphone apps, and the usage of health data in COVID-19 apps.
  • French DPA: The French DPA creates an investigation plan each year, in which it sets out several priorities for the next year. For 2022, it is taking a closer look at commercial prospecting, monitoring of remote workers, and the use of cloud computing. In early 2022, it also issued massive fines for non-compliance with the rules around cookie consent. The French DPA is very active in providing guidance and providing tools for organizations to become and/or stay compliant.
  • Dutch DPA: The Dutch DPA is less active when it comes to issuing fines than the DPAs mentioned above. It has set out an enforcement strategy for 2020-2023, outlining its focus areas. The chosen themes are data trade, digital government, artificial intelligence, and algorithms. The Dutch DPA follows a risk-based approach toward enforcement, prioritizing issues that pose a high risk to citizens. It makes explicit that fines are only one of the many supervisory tools it can use, alongside standard explanations, advice, and education, to name a few.
  • Belgian DPA: The main goal of the Belgian DPA’s strategy is to protect the interests of citizens while keeping technological, economic, and societal evolutions in mind. It has identified various sectors that it will investigate with priority, including government, telecommunications, education, and direct marketing. It has also set priorities as to the GDPR provisions it pays most attention to, and these priorities can be identified when looking at its history of fines. The Belgian DPA’s fines have focused on the legal bases for data processing, fulfilment of data subject rights as well as the role of the data protection officer.
  • Irish DPA: The Irish DPA has not published an enforcement strategy. Most of the fines issued by the Irish DPA were for organizations not having enough security measures in place. However, in its strategic plan, the Irish DPA states it generally prefers using ‘soft enforcement’ before fining. By providing guidance and engaging extensively with organizations, it aims to drive compliance rather than penalizing non-compliance.

Harmonization: myth or reality?

With the GDPR, a harmonized data protection law was introduced in the EU. However, the DPAs all independently set their (enforcement) strategies, leading to different approaches and priorities. There have been discussions on whether certain DPAs are ‘too soft’, and whether companies sometimes abuse the fact that DPAs differ in their ‘harshness’.

The individual DPAs decide what they feel is the most fitting way to enforce the GDPR. This includes whether to frequently impose fines or to try and steer organizations towards compliance by engaging with them and guiding them. The GDPR has done a lot for the harmonization of data protection within Europe. However, when it comes to enforcement and supervisory authorities, it is clear that local differences are still significant.

Did you find this useful?