Abstract
ABSTRACT The General Data Protection Regulation (GDPR), which went into effect in May 2018, enabled European Data Protection Authorities (DPAs) to fine companies up to 4 percent of their annual revenue in the event that they were found in violation of the regulation's requirements for data collection, processing, and use. But the regulation gave DPAs considerable leeway to determine how they would implement these penalties. This article analyzes 261 publicly available GDPR enforcement orders issued by DPAs during the first 24 months of the GDPR implementation. The findings show that most GDPR fines levied so far have been relatively small, many of them within the thresholds set by earlier laws prior to the GDPR. Additionally, only half of the GDPR articles for which penalties are designated have actually resulted in public enforcement actions, and those fines that have been levied focus primarily on violations of five particular articles, four of which pertain primarily to user privacy protections. However, despite the fact that most of the fines issued under the GDPR have been in response to privacy violations, the largest fines have been triggered by security incidents, and, on average, security violations still receive larger fines than privacy violations.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.