Lessons from GDPR fines issued thus far
Regulators across Europe are interested not just in the activities of the larger players, but also the hows and whys of certain data breaches, says one partner.
Speaking recently on The Corporate Counsel Show about the year that has been since the implementation of the General Data Protection Regulation in Europe, Holman Webb partner Tal Williams (pictured) said there have been about 200,000 complaints lodged with the various individual national regulators across the continent.
“Of all the fines that were issued, that makes up around 97 per cent. In other words, there’s a total of about €56 million fines that have been issued, €50 million of which was on Google. And, so, you can see that the authorities are focusing on the big, high-named brands and really making a point that this is important to everybody.”
As a result, Mr Williams surmised, the new regulatory regime is relevant to big and small players across the board.
“Indeed, there are inquiries already going on still. Facebook is under investigation. Apple is under investigation, LinkedIn is under investigation, Twitter is under investigation, Instagram is under investigation, and WhatsApp are all being considered by various regulators in those countries to determine whether or not their privacy requirements comply with the new obligations,” he explained.
“[Regulators] very much will be looking strongly at things. But it’s not just those people. So, one of the more recent cases — and I suppose this is telling for Australia, because this is an obligation of ours — is you only keep data for as long as it’s necessary to keep that data. The Lithuanian regulator has issued a €61,000 fine for somebody who, amongst other things, kept data that should have been kept for 10 minutes, kept it for 216 days.
“That was found to be a breach. Why was it that you needed it for more than 10 minutes? Why was it still on your systems for 216 days? That is something they took into account.
“Similarly, they, the way they managed their breach, was considered inappropriate. And indeed, along those lines as well, there was another party in Italy who did breach, did notify, but then when they notified the affected people, they simply said, ‘You should change your passwords, because there’s been unusual activity on our server’. That was it. And that was found to be a breach as well, because they didn’t give their people whose data had been affected, didn’t give them sufficient information. Didn’t really give the importance or import the importance that attached to it and was found to be a breach as well.”
Mr Williams concluded: “So, the cases, they’re focusing on the big picture, but they are relevant to the small picture.”
In the same episode, Mr Williams said that the GDPR legislation is “pretty similar” to Australia’s existing privacy laws, which — save for some differences and extensions — means that in-house counsel in Australia have been well placed, relative to other jurisdictions, to navigate the new regulations for their respective businesses.
To listen to Jerome's full conversation with Tal Williams, click below:
Jerome Doraisamy
Jerome Doraisamy is the editor of Lawyers Weekly. A former lawyer, he has worked at Momentum Media as a journalist on Lawyers Weekly since February 2018, and has served as editor since March 2022. He is also the host of all five shows under The Lawyers Weekly Podcast Network, and has overseen the brand's audio medium growth from 4,000 downloads per month to over 60,000 downloads per month, making The Lawyers Weekly Show the most popular industry-specific podcast in Australia. Jerome is also the author of The Wellness Doctrines book series, an admitted solicitor in NSW, and a board director of Minds Count.
You can email Jerome at: