Regulators are set to exercise their new powers by handing out fines and even temporary bans on companies that breach a new EU privacy law, with the first round of sanctions expected by the end of the year, the bloc’s privacy chief said.
The European Union General Data Protection Regulation (GDPR), heralded as the biggest shake-up of data privacy laws in more than two decades, came into force on May 25. The new rules, designed for the digital age, allow consumers to better control their personal data and give regulators the power to impose fines of up to 4 per cent of global revenue or 20 million euros ($23 million), whichever is higher, for violations.
Enforcers have since then been deluged by complaints about violations and queries for clarification, with France and Italy alone reporting a 53 per cent jump in complaints from last year, European Data Protection Supervisor Giovanni Buttarelli said.
“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum,” Buttarelli told Reuters in an interview.
Data controllers, which could include social networks, search engines and online retailers, collect and process personal data while a data processor only processes the data on behalf of the controllers.
Fines are levied by national privacy regulators in the various EU member states. While Buttarelli does not personally impose fines, he coordinates the work of private agencies across the bloc. Fines could be imposed on any company that operates in Europe, no matter where it is headquartered.
“The fine is relevant for the company and important for the public opinion, for consumer trust. But from an administrative viewpoint, this is just one element of the global enforcement,” Buttarelli said.
He said the sanctions will be imposed in many EU countries and will hit many companies and public administrations but declined to provide details because investigations were still ongoing.
Complaints filed against Google, Facebook, Instagram and WhatsApp by Austrian data privacy activist Max Schrems on the same day the GDPR rules were implemented are not expected to be among these cases as they are still at a preliminary stage, he said.
Buttarelli also urged EU countries and lawmakers to bridge their differences on overhauling the e-privacy directive which aims to create a level playing field between telecoms operators and online messaging and email services such as WhatsApp and Microsoft subsidiary Skype.
Hailed by privacy activists but criticized by tech companies and some EU countries as being too restrictive, the e-privacy proposal aims to extend tough telecoms privacy rules to the tech giants.
“E-privacy is simply indispensable. It is essential, it is a missing piece in the jigsaw of data protection and privacy. It would be really a dereliction of duty if the EU cannot update soon before the (European Parliament) elections its rules on confidentiality of communication,” Buttarelli said. Parliament elections are in May 2019.
“I think there is a margin of maneuver for sustainable compromise although there are points which cannot be negotiated. For instance the scope of application of e-privacy to over-the-top, beyond the telcos, the tech giants,” he said. Over-the-top refers to content delivered via the internet. It usually applies to companies like Google and Skype which offer services similar to telcos but are not telcos. Consumer lobbying group BEUC said EU countries should stop dragging their feet.
“This law would be a much-needed upgrade of current rules to safeguard consumers’ privacy when they go on the internet or use mobile apps as well as protect the confidentiality of their online communication,” BEUC spokesman Johannes Kleis said.