European data protection regulators will soon start issuing the first fines and temporary bans against companies found to have breached the General Data Protection Regulations (GDPR), with the first round of sanctions expected by the end of the year.
That's according to the European Data Protection Supervisor Giovanni Buttarelli, who told Reuters that the various enforcement agencies across each member state have been overwhelmed by a spate of complaints.
"I expect first GDPR fines for some cases by the end of the year," said Buttarelli, in an interview to Reuters. "Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum."
"The fine is relevant for the company and important for the public opinion, for consumer trust," he added. "But from an administrative viewpoint, this is just one element of the global enforcement."
General Data Protection Regulation (GDPR) Companies “over-reporting” data breaches as ICO takes 500 calls per week What is the Information Commissioner’s Office (ICO)?
He added that France alone had seen a 53% increase in the number of complaints against companies, and that queries clarifying various points of the new regulations had also surged across the bloc.
GDPR came into force across Europe on 25 May, including in the UK, representing the biggest shake-up to data protection policies since the introduction of the EU Data Protection Directive in 1995.
Being found in breach of these new rules brings a maximum fine of 20 million, or 4% of global revenue, whichever is higher.
Although enforcement of data protection policies is handled by independent national agencies within each member state, as the EU's Data Protection Supervisor, part of Buttarelli's brief is to coordinate the actions of these agencies.
He believes that those likely to be sanctioned will include companies headquartered across many EU countries, and a number of public bodies, although he refused to elaborate given that these investigations are still ongoing.
The UK's own data protection agency, the Information Commissioner's Office (ICO), is believed to have a number of ongoing investigations that have yet to materialise a sanction, including Ticketmaster, which suffered a breach on its systems in late June. It also recently revealed that it was receiving over 500 calls per week, many of which were data incidents that failed to meet the reporting threshold.
As part of the interview, Buttarelli also urged companies to cooperate on the EU's overhauling of the e-privacy directive, a policy designed to extend the scope of telecoms rules to cover technology firms.
The e-privacy directive is designed to work alongside GDPR, governing the handling of communications up until the moment where the data subject assumes control, at which point GDPR applies. The directive aims to level the playing field for traditional telecoms companies, who are currently subject to far tougher regulations compared to their internet counterparts, such as Skype and WhatsApp.
However, Buttarelli believes that companies have been dragging their feet over the rules, particularly as the directive was expected to be ready in time for the introduction of GDPR in May.
"E-privacy is simply indispensable. It is essential, it is a missing piece in the jigsaw of data protection and privacy. It would be really a dereliction of duty if the EU cannot update soon before the elections its rules on confidentiality of communication," added Buttarelli, referring to the European Parliament elections to be held in May 2019.
