GDPR enforcement: what we can expect from Europe's data protection authorities

While the GDPR, applicable from 25 May, envisages formal cooperation between national data protection authorities (DPAs) on cases with cross-border impact, the authorities retain powers of enforcement in their own jurisdiction. Included in the GDPR are new powers that could see the DPAs issue sizeable fines – up to 4% of a business' annual global turnover, or €20 million, whichever is highest.

The potential penalties that could be imposed are far greater than what DPAs have been able to issue up until now, but according to data protection law specialists from around the European offices of Pinsent Masons, the law firm behind Out-Law.com, experience tells us that some of the authorities are likely to take a harder line on enforcement than others.

Claire Edwards in the UK

The update in data privacy regulation has brought a huge amount of change, not just in what legally a business that processes personal data is required to do, but also how compliance and enforcement is viewed by the regulator.

Practices accepted previously need to be re-evaluated – transparency is central in the mind of the UK's Information Commissioner's Office (ICO), in recognition of the GDPR's obligations for clarity and openness on data processing with the individuals to whom the data relates.

Information commissioner Elizabeth Denham has talked openly about accepting that most businesses will be on a "journey of compliance" and that she will look to use 'the carrot' and not 'the stick' in her powers through engagement, education and encouragement before she applying her enforcement powers.

The ICO has identified data protection audits as a method for organisations to check they are complying with data protection laws and identify any weaknesses in their systems before breaches occur. If organisations self-report and engage with the ICO, Elizabeth Denham has stated the ICO's response will be proportionate and pragmatic.

That said, the ICO's powers under the new regime have been enhanced. The new Data Protection Act, recently passed by the UK parliament, provides the ICO with the right to issue information or assessment notices; require urgent compliance within 24 hours; and inspect and assess compliance without notice.

The information commissioner also confirmed recently that the ICO had sought budget for recruitment of a further 150 enforcement officers – her current team consists of around 60 officers. There is an inference here that the ICO is 'tooling up' to ready itself for the additional workload expected under the GDPR, but we might expect enforcement officers to be as much 'education officers' as they will be appliers of sanctions or their other enforcement powers.

In terms of areas of interest, the ICO has highlighted its interest in a number of technological areas, from artificial intelligence – where it is looking at data ethics and responsible use – to cybersecurity and web and cross-device tracking. We can expect the ICO's interest and activity around tracking to grow as the anticipated e-Privacy reforms materialise.

Annabelle Richard in France

In France, in the initial period following the GDPR taking effect, businesses can expect the Commission nationale de l'informatique et des libertés (CNIL) to take a very different view of non-compliance where the practices relate to the fundamental principles of data protection that existed pre-GDPR and the new obligations or rights resulting from the Regulation.

Fundamental principles include principles of fair processing, relevance of the data collected, not retaining data for any longer than necessary and implementing appropriate data security, for example. The new obligations or rights resulting from the GDPR include rules around data portability and conducting data protection impact assessments.

We expect the CNIL to be unsympathetic with businesses they find in breach of the fundamental principles that remain essentially unchanged. However, it has indicated that it will initially adopt a more flexible position when it comes to compliance with the new rights and obligations introduced by the GDPR, provided the companies can show that they have been acting in good faith in taking steps towards compliance. The main purpose of controls the CNIL could impose in this regard will be to accompany the companies on a learning curve towards good understanding and implementation of the new requirements.

Like in the UK, AI is likely to be a continuing focus for CNIL. This is in line with the attention given to the topic in a report by the French parliament and the fact the International Conference of Data Protection and Privacy Commissioners chose AI as one of its work items. In 2018, the CNIL intends to extend work it has already done on AI, notably in relation to the legal framework for data sharing and pooling.

The CNIL also plans to propose concrete and accessible solutions and guidelines for organisations that wish to use blockchain technology in the context of personal data processing.

We also expect the CNIL will continue its work on ethical issues related to privacy by design to examine the role of privacy by design in helping users maintain control over their data and the role of the person in charge in supporting users in this process. Related to this, the CNIL is to look deeper at cognitive and behavioural sciences.

Stephan Appt in Germany

The enforcement of data protection laws in Germany is complicated by the fact that the powers of enforcement reside not with one national authority but with several state authorities.

In recent times, state DPAs in Hamburg and Schleswig Holstein in the north of Germany in particular have demonstrated their willingness to utilise their data protection powers and clampdown on practices that they deem to be inconsistent with the law, while other authorities, including in Bavaria and Baden-Württemberg in the south have tended to be more understanding and pragmatic in their approach.

Recent comments that senior officials at the Hamburg and Schleswig Holstein authorities made provide an insight to the type of approach to GDPR enforcement that they might take.

Johannes Caspar, Hamburg's data protection commissioner, and Marit Hansen, data protection officer of Schleswig Holstein, were reacting to comments from EU justice commissioner Věra Jourová who suggested recently that businesses that are not compliant with the GDPR at the point it begins to apply could nevertheless benefit from a period of lenient enforcement for up to two years.

Caspar pointed to the two years businesses have had already to comply with the GDPR since it was finalised by EU law makers and said it is "legally inadmissible" for a grace period to be applied. He said DPAs are "bound by the law" to apply it from 25 May and face potential legal action from consumers if they do not pursue their complaints properly.

Hansen said a grace period of two years would "draw the teeth" from the GDPR and that it is clear that the Regulation must be applied from 25 May by DPAs, albeit proportionately.

The view of some businesses in Germany, however, is that they are missing some data protection guidance to help them comply with the GDPR and that they cannot be expected to invest in solutions if they are unsure DPAs will accept them. There may be some sympathy from some of the state DPAs in Germany for this view.

Overall, the focus of German enforcement of the GDPR initially is likely to be in the business-to-consumer context.

Andreas Carney in Ireland

Helen Dixon, the Irish data protection commissioner (DPC), has spoken of her reactive and proactive enforcement priorities in the short term following 25 May.

In terms of reactive enforcement, the DPC has highlighted that she, and other data protection authorities, will be required to respond to all complaints that are lodged with them. This is one of the reasons, so the commissioner has said, why it is critically important for organisations to properly deal with the exercise of data subject rights from 25 May onwards. 

A failure to deliver on the rights of access, portability and objection, for example, are likely to draw the attention of data protection authorities as they start to see complaints being lodged. The DPC had indicated that her office's first priority will be to be responsive to the risks and trends it identifies in handling those complaints.

On pro-active enforcement, Dixon has pointed to transparency being a priority. She views this requirement as central to empowering data subjects and a vital element in giving them the control over their data as envisaged by the GDPR.

Transparency impacts many aspects of the legislation, in particular the exercise by data subjects of their rights. In the DPC's view, the exercise of any rights by a data subject flow in the first instance from having clear knowledge of the collection and use of their data – the exercise of rights simply cannot happen if there has not been transparency. 

Paloma Bru in Spain

In the case of Spain, although there has not been an official statement by the Spanish data protection agency (SDPA) on the position or official approach it will adopt during the first year of application of the GDPR, it is clear that the authority will demand strict compliance with the general principles established by the new Regulation.

However, it is expected that during this initial stage the authority will be more flexible regarding compliance with the new rights that data subjects enjoy, although businesses should not expect the SDPA to be flexible if they have not at least tried to observe the new rules or are not taking steps towards doing so.

We anticipate that the Spanish data protection authority will continue issuing guidelines for compliance with the GDPR and, in particular, compliance guidelines related to the new Spanish data protection law, approval of which is expected to take place in the coming months. During this first year, companies should, in addition to complying with the GDPR, look out for local guidelines from the SDPA on the new Spanish regulations on data protection.

In terms of compliance, as in other jurisdictions, it is possible that, initially, the focus of activity for the SDPA will directly derive from, or mainly relate to, claims concerning compliance with the new information obligations established by the GDPR as well as the validity of the consents obtained to carry out certain processing under the new Regulation.