: Overview of recent sanctioning practices

The annual reports of the DPAs, together with the binding decisions from the EDPB with regard to all trans-border cases (in and out the EU), will help us understand how the fining powers in the GDPR work in practice. Although these administrative sanctions already existed in most countries, some countries did not have them and were interested in having them. Also, not all DPAs in these counties without administrative sanctions were interested in adding administrative fining to their enforcement policies. Article 83(9) GDPR had to resolve problems with Estonia and other countries unfamiliar with the systems of fining by administrations. Where a Member State’s legal system does not provide for administrative fines, fines may be initiated by the DPA and imposed by national courts (Article 83(9) GDPR).^[1]

Belgium had to create a system of administrative sanctioning within its data protection law by setting up a Litigation Chamber within the DPA and imposed its first (modest) administrative fine on May 28, 2019 in a case against a local authority. The message spread, in particular amongst public servants: under the new GDPR nobody will escape punishment in case of abuse!

Other legal systems that already applied administrative sanctions updated their sanctions and continued their enforcement policies. On 26 March, the President ofthe Polish Personal Data Protection Office (UODO) announced the first administrative fine under the GDPR of 230,000 Euro. The fine was imposed on a data broker for not providing approximately 6.6 million sole traders with its privacy notice. The broker had only given notice to those persons in public files with an email address, but had not informed others mentioned in public databases (but only with a postal address) because of cost concerns. The case is bad news for data brokers, data aggregators, banks, recruitment agencies and their clients and any other data controllers that collect data from public sources. An appeal to an administrative court is announced.^[2]

In 2018, the Information Commissioner’s Office (ICO) - the UK DPA - imposed 22 fines under the UK Data Protection Act 2018, including fines against Equifax, Facebook, Uber, the Crown Prosecution Sendee and Yahoo. Since the infringements in question took place before the GDPR came into force, the maximum fine for a single violation was £ 500,000. The maximum fine was given to Facebook for serious breaches of data protection law with regard to the use of data analytics for political purposes in the Cambridge Analytica case. The penalty was imposed in connection with the app developed by Dr Aleksandr Kogan. The app collected data which was subsequently passed to a parent company of Cambridge Analytica. The penalty was imposed for breach of the first data protection principle (fair processing) and breach of duty to have appropriate technical and organizational measures in place. In GDPR terms, these would equate to Articles 5(l)(a) and 5(1)(f) punishable according to 83(5) GDPR. Elizabeth Denham, Information Commissioner, commented that the “fine would inevitably have been significantly higher under the GDPR”.³

Another event revealing the ICO strong policy stance against the disregard of personal data provisions concerned the Vote Leave case in March 2019. Vote Leave Limited (the UK’s official Brexit campaign) was fined £40,000 for sending almost 200,000 unsolicited texts promoting the aims of the campaign. The ICO cartied out searches and found nuisance calls, spam texts and unsolicited direct marketing as ‘areas of significant public concern’ (see on this concept below).

In January 2019, the French CNIL found Google lacking in transparency when it comes to how it collects and handles user data in the name of serving up personalized ads. A very high fine (50 million Euro) - the largest yet issued under the EU’s new data privacy law - was imposed because the infringements observed deprived users of essential guarantees, such as transparency and informed consent and were not incidental, one-off, time-limited but continuous and ongoing breaches. The case is expected to profoundly change the way an American company, such as Google’s subsidiary DoubleClick, profiles and targets ads to internet users in the EU based on information gleaned from websites, account registrations, social media, advertising and marketing efforts, newsletters and list rentals, data brokerages, public sources of information and more.^[3]

• [1] “See also Recital 151 GDPR: "The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore, the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive”. 2 See ‘First Fine Imposed by the Belgian DPA Since GDPR’, posted on June 4, 2019, https:/Avww.huntonprivacyblog.com/2019/06/04/first-fine-imposed-by-the-belgian-dpa-since-gdpr/#more-17559.
• [2] 1. Kowalczuk-Pakula, ‘A million PLN fine for GDPR’ posted 26 March 2019, https://ttnArw.twobirds.com/en/news/articles/2019/poland/a-million-pln-fine-for-gdpr. 2 65 ‘ICO Publishes First Annual Report Since GDPR’s Implementation’, posted on July 18, 2019, https://www.huntonprivacyblog.com/2019/07/18/ico-publishes-first-annual-report-since-gdprs-implementation/#more-17750. 3 ICO, ‘ICO issues maximum £500,000 fine to Facebook for failing to protect users’ personal information’, posted October 25, 2018, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/10/facebook-issued-with-maximum-500-000-fine/. 4 R. Boardman, ‘Facebook - Cambridge Analytica monetary penalty’ posted October 2018, via https://www.twobirds.com/en/news/ articles/2018/global/ facebook-Cambridge-analytica-monetary -penalty. 5 “‘UK ICO Fines Vote Leave £40,000 for Unsolicited Texts’ posted on 22 March 2019, https://www.huntonprivacyblog.com/2019/03/22/uk-ico-fines-vote-leave-40000-for-unsolicited-texts/.
• [3] T. Seals, ‘Google Fined $57M in Largest GDPR Slap Yet’, posted on 22 January 2019, https://threatpost.com/google-fine-privacy-gdpr/141055/. 2 Belgian DPA, Opinion no. 35/2012 of 21 November 2012 on the draft regulation, paras 8-9.