Early GDPR Penalties: Analysis of Implementation and Fines Through May 2020

Abstract

The General Data Protection Regulation (GDPR) which went into effect in May 2018 enabled European Data Protection Authorities (DPAs) to fine companies up to 4 percent of their annual revenue in the event that they were found in violation of the regulations requirements for data collection, processing, and use. But the regulation gave DPAs considerable leeway to determine how they would implement these penalties. This paper analyzes 261 publicly available GDPR enforcement orders issued by DPAs during the first 24 months of the GDPR implementation. The findings show that most GDPR fines levied so far have been relatively small, many of them within the thresholds set by earlier laws prior to the GDPR. Additionally, only half of the GDPR Articles for which penalties are designated have actually resulted in public enforcement actions, and those fines that have been levied focus primarily on violations of five particular Articles, four of which pertain primarily to user privacy protections. However, despite the fact that most of the fines issued under the GDPR have been in response to privacy violations, the largest fines have been triggered by security incidents, and, on average, security violations still receive larger fines than privacy violations.