DMN contributor and practising attorney Joe Stanganelli gives us his perspective on GDPR.
When it comes to the EU’s General Data Protection Regulation (GDPR), doom-saying pundits aver that there’s danger in numbers.
For instance, GDPR grants EU member-state data-protection authorities (DPA) maximum fining powers for subject data-protection violations of the higher of €20,000,000 or 4 percent of annual revenues. Meanwhile, the number of noncompliant organizations is similarly large. Reportedly, tens of thousands of data-protection complaints have already been filed throughout Europe. Still, nearly six months after GDPR came into effect, global GDPR compliance remains lackluster.
In its 2018 Privacy Governance Survey, the International Association of Privacy Professionals (IAPP) – which has approximately as many members worldwide as Europe has data-protection complaints – found that only 44 percent of respondents reported full GDPR compliance by their respective organizations. More eye-poppingly, the survey found that more than 10 percent of privacy professionals believe that their respective organizations will never be GDPR-compliant.
But maybe that’s a good thing. Maybe the old bromide is right – that there’s safety in numbers.
A brief history of data-protection enforcement in the EU
Of course, in a vacuum, applying the principle of “safety in numbers” to rampant GDPR noncompliance may be overstating EU politicos’ patience a tad. The enormous complexity and uncertainty surrounding how GDPR will be interpreted and enforced by DPAs, however, suggest that the DPAs will only be hitting hard with those massive fines against the easiest and most egregious targets in the first few years of GDPR. A look at past DPA action can shed some light here. In pre-GDPR days, harsh punitive actions by DPAs were the exception – not the rule. Cases in which DPAs issued enormous fines for data-protection violations have typically involved especially outrageous circumstances; often the data-protection violations were accompanied by other, more egregiously unlawful activity.
In February 2017, for instance, Italy’s DPA issued the highest fine ever by an EU DPA against a company—€5,880,000, representing €10,000 for each of 583 affected data subjects plus an additional punitive €50,000. This fine, however, was not for the kind of everyday privacy infringements often tolerated in other parts of the world; it was for exceptionally gross data-protection violations exacerbated by apparently intentional attempts to unlawfully evade anti-money laundering rules.
A similar situation arose in 2014, when Germany’s DPA fined an insurance company €1,300,000 for data-privacy infringements. There too lay exacerbating circumstances: the company’s employees had allegedly been bribing government workers for decades to obtain individuals’ personal information.
Accordingly, while marketers should be concerned with GDPR compliance, fear of gigantic fines should not be the driving factor. Think of DPAs like traffic cops on the highway; they don’t pull over every car going over the speed limit – because of resources, practicalities dictating best practices, and even sympathy. They’re looking for the outrageous offenders (e.g. cars going exceptionally fast, cars speeding while swerving all over the road, etc.) and the attractive targets (e.g. speeding red sports cars). Similarly, DPAs aren’t going to come down with the wrath of God on every single business violating GDPR just a little bit when there are so many non-compliant organizations.
“[I]t’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm,” wrote UK information commissioner Elizabeth Denham in an August 2017 blog post on GDPR myths for the UK Information Commissioner’s Office (ICO) — the UK’s DPA. “The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
Denham went on to point out that, of 17,300 cases concluded by the ICO in the prior year, only 16 resulted in fines—and that the ICO had yet to fine an organization the maximum amount allowed under pre-GDPR rules (£500,000). Not long after that blog post, however, the ICO made clear who the exceptions would be.
Data brokers in convertibles
The blog post was taken down earlier this year (it remains archived here) in the wake of two data mega-exposures. Two months ago, the ICO announced that it was fining Equifax the pre-GDPR maximum of £500,000 for the super-breach the credit-reporting agency suffered last year – partly because the data breach was so enormous, partly because Equifax’s entire business model relies on collecting and trading personal data, and partly because subject individuals may not have any idea Equifax has their personal information to begin with. In short, Equifax was a bright-red sports car.
Then the ICO whipped out another pre-GDPR maximum fine of £500,000 against Facebook for infractions related to the Cambridge Analytica scandal. In doing so, the ICO expressly stated that to issue an even larger fine would have been “reasonable and proportionate” if it had the power to do so because of the circumstances of the case, And, indeed, the social-network giant suffered a similar row in March 2017, when France’s DPA levied the maximum sanction it could against Facebook— €150,000—for several violations of the French Data Protection Act.
Any why not? Facebook is one of the most reviled of all companies by DPAs (the EU’s distrust of Facebook is pretty much why Safe Harbor went away). Facebook is the hottest, reddest, slickest Maserati on the data-privacy Autobahn.
GDPR-enforcement takeaways for marketers
I’ve written here before that GDPR compels marketers to be better at their jobs by getting them to stop using sleazy marketing tactics that don’t work. That phrasing is not just me being cute; I am being very serious. It’s one thing for marketers to not pay close attention to how all of their website widgets jive with GDPR compliance. It’s another thing for marketers (martech vendors in particular) to purposely engage in digital tactics that amount to trickery, coercion, and data gluttony.
So a plain ol’ marketing organization still working on getting up to speed with GDPR is probably fine for now (assuming its security and incident response aren’t atrocious); even if it does get dinged by a DPA, the damage — like that of a speeding ticket — is unlikely to be earth-shattering . If, however, you’re breaking other laws while violating GDPR — or doing anything else involving personal data that you wouldn’t want your mother to know about – then you may well wind up a test case for an enormous GDPR fines.
And if you do work for one of the world’s bright-red sports cars of data privacy (Facebook, Google, Amazon, Microsoft, Apple, Uber, etc.), don’t lose hope. Even large and unsympathetic data brokers are given a heads up by DPAs. Those in the GDPR compliance business, accordingly, are telling stateside organizations not to panic; they know that the DPAs know that GDPR confusion remains widespread – even among the DPAs themselves. To wit, with just a little care and a little planning, a marketing team’s GDPR odds can be favorable.
Note: This article is provided for informational, educational, and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication, or affirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.
