We tell whom the regulators have punished, how and what this can affect.
/ photo by Marco Verch CC BYGDPR entered into force over a year ago. During this time, the European Commission
issued almost a hundred fines - the total amount exceeded tens of millions of euros. We told about some of them
last time .
Today we continue the topic - we are talking about fresh "letters of happiness", and discuss the impact that the General Regulations on data protection have on regulation in other countries.
')
New fines
Interestingly, one of the most recent ones was issued by IDdesign, which sells furniture. The organization violated the requirement of the
fifth article of the GDPR . It says that you can store personal data of users no longer than required by the processing goals. In IDdesign, the data of 385 thousand clients was not timely removed. This feature has not been implemented in a new CRM system of the company. As a result, the furniture store
received the largest fine, which the Danish regulator wrote out since the entry into force of the GDPR - 200 thousand euros.
For a similar violation in Lithuania punished payment service MisterTango. The company has not deleted the personal data of customers when the need for their processing has disappeared. Plus, the company’s employees did not inform the regulator about last year’s incident, when information on 9,000 payment transactions was accidentally made public. MisterTango
ordered to pay 61 thousand euros.
In Germany, the transport company Kolibri Image received a fine. She was
obliged to pay 5 thousand euros for a violation related to an error in the documentation. Another fine of 2 thousand euros
was issued to a private person. The user sent an email to a large number of recipients, setting its type as CC (copy), not BCC (hidden copy). As a result, email addresses were seen by other recipients. This situation was regarded as a leak of personal data.
By the way, a similar violation was
recorded in the UK a few years earlier. Only in this case, the clinic for HIV patients received a fine (in the amount of 180 thousand pounds). Then the penalty was issued according to the Data Protection Directive, which was replaced by the GDPR. It is
believed that with the GDPR, the organization would have to write a check for a much larger amount.
Is GDPR effective?
Representatives of the European Commission believe that over the past year, the GDPR has proven its effectiveness. According to them, the regulations helped to draw users' attention to the problem of data security. For example, the number of complaints registered by the British regulator
has almost doubled over the past year - from 21 thousand to 41 thousand.
But in the IT industry there is an opinion that GDPR has just created another market for law firms and consultants. According
to Bjorn Stormorken, financial director of the Swedish social platform Idka AB, the main goal pursued by companies in the new environment is not data security. It is the desire to satisfy the requirements of the GDPR with minimal costs.
Some regulators do not rush to punish violators. About ten EU countries have not written a single penalty for GDPR. Among them are: Belgium, Croatia, the Czech Republic, Finland, Spain, etc. Some states have limited themselves to relatively minor sanctions. In Latvia, the maximum penalty to date is 2 thousand euros, and in Bulgaria - 5 thousand.
Although experts say that in the future we can expect a sharp increase in the number of fines and their size. Already in Ireland are studying the affairs of several major American IT companies. Probably, positive decisions will be made on them.
Impact of GDPR outside the EU
Many countries followed in the footsteps of GDPR, having worked through their data protection laws. Last year, the corresponding bill was presented in India. The authors say that the document was drafted taking into account the specifics of IT regulation in the country, but foreign experience was also introduced. Another example is CCPA, which was approved in California. We talked about these two bills in our blog -
here and
here .
/ photo by Alexander Gerst CC BY-SAThe law, similar to the GDPR, decided to introduce China - its final version was
presented earlier this year. The authors of the law themselves
say that it was created “based on” the GDPR. His goal is to give Chinese people more control over their personal data.
Chinese regulators have already begun to assess the "scale of the problem." Since January, they check popular applications for smartphones and see if they collect extra information about users. Checks touched food delivery services, taxis and navigators.
Some believe that the new law
will lead to a common denominator of 200 other regulations relating to cybersecurity. However, Professor Chi Aimi (Qi Aimi) from Chongqing University nevertheless
noted that the new bill should not copy the GDPR, since China has many more Internet users and one of the most developed digital economies in the world.
Time will show how the Chinese bill will show itself and what impact it will have on the global community. A law very similar to the Chinese has already been prepared in Vietnam. And in Tanzania, they work closely with Chinese lawmakers responsible for cyberspace.
What we write about in our Telegram channel:
Other content on the regulation of PD in our blog: