Google was hit with a $5.1 billion fine by the European Union on Wednesday for antitrust practices around the Android mobile operating system – a move that underscores Europe's willingness to issue steep financial penalties for bad behavior.
And there’s another bludgeon in the EU’s cache that Google – and the advertising world in general – have to fear: the General Data Protection Regulation (GDPR).
But nearly two months past the General Data Protection Regulation compliance deadline, regulators in Europe are still playing their cards close to the vest.
The stakes could hardly be higher, as GDPR permits fines of up to 20 million euros or 4% of annual global turnover.
It’s unclear which industry will get hit with the first enforcement action, how much the average penalty will be or which countries will be most strict in their application of the law.
“They’re waiting for the dust to settle,” said Alex van der Wolk, global co-chair of the privacy and data security group at Morrison & Foerster. “There was no expectation of a lot of enforcement right away, for regulators to come out shooting.”
But there have been clues. AdExchanger reporting indicates that enforcement actions are likely to concentrate in a handful of countries, that Ireland will play an outsize role and that warnings will precede fines.
Where will the rubber meet the road?
Although one of the primary goals of GDPR is to reconcile privacy laws across Europe, the data protection authority (DPA) in each member state has leeway in how stringently the rules are implemented.
“The object of GDPR is harmonization of the law, but when it comes to enforcement of the law, it’s pretty much the regulator’s prerogative,” van der Wolk said, “and we’re going to see varying applications on a national level.”
Certain jurisdictions are more active on consumer protection, and the usual suspects are likely to enforce GDPR with gusto.
The big ones are Germany, France, the UK and Spain, said Dominique Shelton, co-chair of the ad tech privacy and data management practice at Perkins Coie.
A few data-protection-friendly jurisdictions have already received complaints, although there’s been no enforcement. Lawyer provocateur Max Schrems, for example, filed class-action complaints against Facebook, Instagram, WhatsApp and Android on May 25 to the DPAs in France, Austria, Belgium and Hamburg, Germany, all of which will likely give the complaints a sympathetic hearing.
“These places were not chosen arbitrarily or by accident,” Shelton said.
But action could come from any quarter. The GDPR bestows new powers on the DPAs, including the ability to conduct broad audits and obtain access to a business’s premises, and smaller jurisdictions may soon flex their muscles.
“Don’t forget about countries like Hungary and Romania,” van der Wolk said. “They’re going to start making use of their powers.”
And that’s why it’s useless for companies to play games with their compliance regime.
“The best defense for a company is to get into a reasonably compliant position,” Shelton said. “Don’t look at a map and say, ‘Maybe this jurisdiction is safer than that one,’ because there have been surprise decisions.”
But will the road come up to meet you?
One country that could be full of surprises is Ireland.
It’s where most big Silicon Valley tech companies have their European headquarters, including Facebook, Google, Twitter and Apple, owing in part to the country’s exceedingly low corporate tax rate. It’s also where Schrems initiated his successful multiyear war against Facebook’s data collection practices that ended up killing the safe harbor agreement.
Ireland is viewed as a “pragmatic regulator,” van der Wolk said, “approachable … where you can talk to them and plead your case.” And as the tech hub of Europe, a lot of cases and complaints are likely to fall on Ireland’s plate.er
Helen Dixon, the data protection commissioner for Ireland, has said her office’s initial focus is on reacting to the large number of complaints coming in from EU citizens. The Irish DPA "will aim to amicably resolve the issue” before resorting to fines, Dixon said at a recent data and security conference in Dublin.
How to stay out of trouble
Regardless of where the first enforcements come from, regulators aren’t gunning for gotcha moments. Companies that take compliance seriously are likely to get a warning long before they’re slapped with a penalty.
“All along we’ve heard regulators talk about GDPR as a process, not a destination,” Shelton said. “The idea is for companies to incorporate privacy and data security into their day-to-day ops.”
The Dutch data protection authority, for example, has said that a “genuine commitment and best efforts to meeting [a company’s] GDPR obligations” will count as a mitigating factor, and the French information office has noted that companies “can expect to be treated leniently initially, provided that they have acted in good faith.”
Those that don’t take those steps? Well…
At an International Association of Privacy Professionals event in April, the UK’s information commissioner, Elizabeth Denham, said that although voluntary compliance is the “preferred route,” her office is ready to get tough when it’s necessary with “hefty fines” levied on organizations that “persistently, deliberately [and] negligently flout the law.”
The more stringent 72-hour data breach notification requirement for companies under GDPR will also clue in regulators to potential enforcement actions.
“Regulators will become aware of breaches that they might not have even known about before and although they can’t follow up on everything, we are going to see them respond,” van der Wolk said.
DPAs are also likely to be swayed into enforcement by an overabundance of complaints against a company or to take a cue from the media and issues that receive press scrutiny, such as Cambridge Analytica. [If that particular scandal had taken place after May 25, for example, the $664,000 fine that the UK’s Information Commissioner’s Office levied in early July would have been more like $1.9 billion.]
Not unlike the Federal Trade Commission, regulators might also choose to enforce a case they know they can win against one company to signal to the market that they’re making an example of certain bad conduct through guidance and a fine.
But DPAs must be judicious about the cases they bring. They’ve only got so many people on staff and their workload is increasing exponentially post-GDPR.
“Expect regulators to issue a warning or recommendations first, before issuing penalties,” van der Wolk said. “GDPR is new, these obligations are new and companies are still getting adjusted.”