Looming European Union privacy sanctions against Twitter Inc. and Facebook Inc.'s WhatsApp signal that regulators are poised to step up enforcement of the bloc’s sweeping two-year-old data privacy law.
The Irish Data Protection Commission has wrapped up its probe of Twitter’s compliance with the General Data Protection Regulation and will distribute its draft decision to other EU data protection offices for approval. The commission has also advanced a larger probe into Facebook Inc. and is in the final stages of an investigation into that company’s WhatsApp.
“Businesses have been given plenty of time to get their act together,” said Rafi Azim-Khan, leader of Pillsbury Winthrop Shaw Pittman LLP’s data privacy and cybersecurity practice in Europe. Regulators are beginning to “lose patience” and will issue “more aggressive fines and actions,” he said.
The GDPR, which took effect May 25, 2018, requires companies to have a legal basis for data collection and handle data transparently. Companies violating the law can be fined as much as 4% of their global annual revenue, depending on the nature of the violation.
Regulators have endured criticism from attorneys and advocates since the law took effect for doing too little to enforce it. Because the Irish regulator’s draft decision is subject to EU-wide approval, it will test the extent to which the bloc’s regulators are ready to cooperate on GDPR enforcement.
The moves against Twitter and Facebook, as well as other enforcement actions that will result from the ongoing probes, will help set the bar for future fines and give other companies compliance roadmaps. The next round of sanctions should see fewer procedural challenges, leading to swifter action.
Large enforcement cases will start to land that will establish “fair procedures” in future enforcement for both companies and regulators, Daragh O Brien, the founder and CEO of Castlebridge, a data governance firm, said.
The Irish Data Protection Commission, the lead EU privacy regulator for large tech companies, has 23 ongoing investigations, including probes of Twitter, Facebook, Apple Inc, and Alphabet Inc.'s Google.
The regulators have been criticized for taking too long with their investigations and for not issuing enough guidance to companies on how to comply with the law.
“The EU watchdogs have not yet been able to find their role,” said Christopher Schmidt, independent EU privacy consultant who used to work for the Hessian Data Protection Commissioner. “The issue of strong enforcement and better citizen protection is still a thought experiment.”
Still, companies may resist changes to their data practices that could harm bottom lines. They also will likely appeal enforcement fines—and courts may agree with them.
A Belgian court overturned a 10,000 euro fine because there was no processing of personal information. An Austrian court overturned a GDPR fine against a betting shop because there were procedural issues with the data protection office’s decision.
The Spanish Supreme Court in January overturned the Spain privacy’s regulator decision, under the GDPR’s predecessor directive, in a right-to-be-forgotten case against Microsoft Corp.
The legal challenges ultimately will add clarity to the law and lead to a “more mature field of privacy,” said Alex van der Wolk, co-chair of Morrison & Foerster’s global privacy and data security practice.
Van der Wolk said the GDPR has had an impact, despite critics who say regulators have moved too slowly,
“The post-GDPR looks a lot different than the pre-GDPR world,” van der Wolk said. “The vast majority of people are now aware of their privacy rights,” and companies’ “privacy compliance is now front of mind.”
The landmark privacy law has altered data practices around the globe since it took effect. Companies like Microsoft now allow users to access and delete their data, an option that didn’t exist before the European law took effect.
The GDPR has also helped mold the California Consumer Privacy Act and shaped the debate around comprehensive U.S. privacy legislation.
The law has “rocketed privacy to a C-level concern for practically every global company,” said Daniel Felz, senior privacy associate at Alston & Bird. “In the US, emerging state privacy laws have adopted concepts of personal information and data rights from the GDPR.”
Besides the Belgian, Spanish and Austrian regulatory moves, the U.K. Information Commissioner’s Office announced an intention to fine Marriott International Inc. 99 million pounds for a data breach that likely began in 2014. The office also announced it would fine British Airways 183.4 million pounds for a 2018 breach.
France’s CNIL fined Google 50 million euros in January 2019 for not being transparent and for not getting valid consent for data processing. Google has appealed the decision.
Ireland’s Twitter decision is likely to be the country’s first big tech enforcement fine.
The U.K. and Ireland have also begun investigating the advertising sector and cookie use. Those investigations may have ramifications for how companies do business online, privacy attorneys said.
But companies, attorneys, and advocates should look at how the GDPR has changed businesses practices, rather than fines, to gauge the success of the law, O Brien said.
Relying just on “fines as your evidence for the effectiveness of legislation is like just focusing on the crime statistics for how effective your police force is,” O Brien said.
The best metric for measuring enforcers’ success is whether their actions change company practices, said Johnny Ryan, chief policy and industry relations officer at web browser Brave.
“Forcing a business to change how it uses data, and what it use data for, can change the nature of that business,” he said. “This is the true power of the GDPR enforcers.”