One year GDPR, what's the status?
A first assessment of the actual penalties and warnings imposed under the basic data protection regulation.
On 25 May 2018, the Basic Data Protection Regulation, an EU law, came into force throughout Europe. This also affected website operators that were only accessible to countries of the European Union. The little concrete wording of this law and its partially contradictory demands unsettled both website operators and their visitors. The high fines therefore did not help this general uncertainty about the DSGVO.
A year has now passed since then and we take stock of the penalties and warnings actually imposed under the Basic Data Protection Regulation.
Uniform data protection
The aim of the data protection provision was to introduce uniform protection for all users of the European Union throughout Europe, following the example set by Germany. However, this was by no means the first attempt to implement it. As early as 1995, the European Data Protection Directive was launched, which made too many exceptions possible through opening clauses. This gap was to be closed by the GDRP.
The GDPR thus not only aims at data protection, but also at facilitating its implementation. Since then, website operators no longer have to inform themselves about all member states and take any individual peculiarities into account in their data protection regulations. This is an important tool, especially for online shop operators who want to operate throughout Europe.
Due to its complexity, which the legislator was also aware of, a temporary grace period was allowed. No fines were imposed until the end of 2018, but warnings were issued.
With the active entry into force of the GDPR, the first fine was imposed on knuddels.de. This social network was attacked by hackers who lost hundreds of thousands of passwords of their users. The problem here was that the passwords were stored unencrypted in their database and were therefore available to the hackers in plain text. Together with an e-mail or a user account, there is a high probability that users will have used this password elsewhere. The first fine of 20,000 euros was imposed here.
Immediately afterwards, the largest provider on the Internet was warned. Google hit one of the biggest penalties. With 50 million euros, the French data protection authority warned a whole series of data protection violations. Even for Google, the fines imposed by the GDPR were high enough to warrant an appeal.
Status in Germany
The Germans did not have to fight with such high sums. Altogether over one hundred fines and warnings were imposed for violations of the GDPR. Altogether this led to penalties at a value of half a million in Germany.
This may sound very drastic at first, but if one compares this with fines imposed by the Federal Network Agency, which imposed twice as much in the same period, this seems unusually little.
In Germany, the Fintech specialist N26 received one of the highest fines. Due to various breaches of data protection, the bank app had to accept a payment of about 50,000 euros. The main reason for this was that the owner put selected customers on a blacklist. The exact purpose of this is not known, but such a procedure is only permitted for customers suspected of money laundering.
The initial difficulties seem to have been largely overcome and the GDPR seems to be interpreted more tame than expected. Its benefits currently outweigh and do what it was designed to do. So far, no group of warning lawyers has formed and the fines, despite their extreme size, have been applied in very understandable cases.