Analyzing Early GDPR Enforcement

The first major case under the GDPR has arrived in the form of a French enforcement action against Google, with a €50-million penalty for improperly disclosing to users how data is collected. It was not, however, the first Member State action since the law’s implementation in May 2018 – there have been actions in the U.K., Austria, Portugal and Germany that provide clues about how regulators will be enforcing the new law against small and mid-size companies, and how companies should strengthen their privacy and security programs to meet expectations. In the first installment of our three-part series, we discussed with local experts recent cases involving a hospital in Portugal and a social media site in Germany. The second article examined smaller cases that hold lessons for compliance and enforcement, including the U.K.’s ICO action against a Canadian data aggregator, as well as a series of Austrian cases showing that a seemingly simple CCTV camera outside of a store can violate the GDPR as well. The final article analyzed the levy by the French Data Protection Authority (CNIL) of GDPR’s biggest fine so far – €50 million – against Google LLC, and the compliance and enforcement implications of the case.  See our two-part interview with Irish Data Protection Commissioner Helen Dixon: “GDPR Enforcement Hurdles One Year In” (May 29, 2019); “Breach Notification, the Role of the DPO and a U.S. Privacy Law” (Jun. 5, 2019).

To read the full article

Continue reading your article with a CSLR subscription.