56 million euros in fines - a year with GDPR

Published data on the total amount of fines for violations of the regulations.

/ photo Bankenverband PD

Who published the report on the amount of fines

The General Data Protection Regulations will only be fulfilled in May - however, European regulators have already summed up the interim results . In February 2019, a report on the results of the GDPR released the European Data Protection Board (EDPB) - the body that monitors compliance with the regulations.

The first GDPR penalties were low due to the companies' unwillingness to take regulation into force. Basically, the violators of the regulation paid no more than several hundred thousand euros. However, the total amount of penalties turned out to be quite impressive - almost € 56 million. The EDPB report also provided other information about the “relationship” of IT companies and their customers.

')

What does the document say and who has already paid the fine?

During the validity of the regulations, European regulators opened about 206 thousand cases of violation of the security of personal data. Almost half of them (94,622) - according to complaints from private individuals. EU citizens can write a statement of violations in the processing and storage of their personal data and contact the national regulatory authorities, after which the case will be investigated in the jurisdiction of a particular country.

The main topics with which the complaints of Europeans were related are the violation of the rights of the subject of the PD and the rights of consumers, as well as the leakage of personal data.

Another 64,864 cases opened on data breach notification from companies responsible for the incident. It is not known exactly how many of the cases ended in fines, but in total the violators paid € 56 million. According to information security experts, most of this amount will have to be paid by Google. In January 2019, the French regulator CNIL passed a € 50 million fine to the IT giant.

The trial of this case lasted from the first day of the GDPR - a complaint against the corporation was filed by the Austrian data protection fighter Max Schrems (Max Schrems). The reason for dissatisfaction with the activist was not the exact wording in the consent to the processing of personal data, which users accept when creating an account with Android devices.

Before the IT giant, the penalties for not complying with the GDPR were significantly lower. In September 2018, the Portuguese hospital paid € 400,000 for vulnerability in the honey storage system. records, and € 20 thousand - German chat application (logins and passwords of clients were stored in unencrypted form).

What do experts say about the regulations

Regulatory officials say that in nine months the GDPR has proven its effectiveness. According to them, the regulations helped to draw users' attention to the issue of the security of their own data.

Experts point out some shortcomings that have become noticeable in the first year of the validity of the regulations. The most important of them is the absence of a unified system for determining the size of fines. According to lawyers, the lack of generally accepted rules leads to a large number of appeals. Complaints have to disassemble data protection commissions, because of which the authorities are forced to devote less time to the treatment of EU citizens.

To solve this problem, regulators from the UK, Norway and the Netherlands are already developing rules for determining the size of a penalty. The document will be collected factors affecting the amount of the fine: the duration of the incident, the reaction rate of the company, the number of victims of the leak.

/ photo Bankenverband CC BY-ND

What's next

Experts believe that it is too early for IT companies to relax. Most likely, in the future, the size of penalties for non-compliance with the GDPR will increase.

The first reason is frequent data leakage. According to statistics from the Netherlands, where PD breaches of storage were reported before the GDPR, in 2018 the number of notifications of leaks doubled. According to data protection expert Guy Bunker, the new violations of the GDPR are becoming known almost daily, and therefore in the near future, regulators will treat the guilty companies more severely.

The second reason is the end of the “soft” approach. In 2018, fines were a last resort — most regulators sought to help companies protect customer data. However, there are already several cases in Europe that could lead to large fines on GDPR.

In September 2018, a massive data breach occurred in British Airways. Due to the vulnerability of the airline's payment system, hackers have gained access to customer credit card data for fifteen days. It is estimated that 400,000 individuals were affected by hacking. Information security experts expect that the airline can pay the first maximum fine in the UK - it will be € 20 million or 4% of the annual turnover of the corporation (whichever is higher).

Another contender for major financial penalties is Facebook. The Irish Data Protection Commission has opened ten cases against the IT giant due to various irregularities in the GDPR. The largest of them happened last September - a vulnerability in the social network infrastructure allowed hackers to get tokens for automatic login. 50 million Facebook users suffered from hacking, 5 million of which turned out to be EU residents. According to ZDNet, only this data breach can cost a company billions of dollars.

As a result, you should be prepared for the fact that in 2019 the GDPR will show its strength, and the regulators will no longer “close their eyes” to violations. Most likely, the high-profile cases of violations of the regulations in the future will only be more.

Posts from the First Corporate IaaS Blog:

What we write about in our Telegram channel :

Source: https://habr.com/ru/post/444968/

All Articles