GDPR, the EU General Data Protection Regulation, celebrated its first birthday on May 25th, 2019. During the first year of its existence, the regulation has attracted 144,376 complaints from EU citizens, representing an average of 3 out of 10,000 citizens complaining that their information has been used in violation of the provisions of GDPR.
Most complaints have been about the abuse of telemarketing, email, or video surveillance.
The GDPR requires companies to submit a report within 72 hours of detection of abuse and during its first year, companies and organizations reported 89,271 data breaches.
According to an EU report published in March, every third EU citizen does not yet know of the existence of the GDPR. The Swedish (90%) and Dutch (87%) know it best. In Finland, 35% of citizens know what GDPR means and 31% have heard about GDPR (= 66%).
50 euros, 500 euros or 500,000 euros – what is the appropriate punishment?
International law firm DLA Piper specialises in data protection breaches. In their blog, the company writes about the first GDPR trial in EU history (November 7, 2013), where the claim for compensation and how it should be calculated was the top question.
€50.00 does not seem like much in that one case. However, companies will typically not send emails to individual people, but rather to hundreds or thousands of addresses. They could, therefore, be exposed to significantly higher damage claims.
The severity of the GDPR penalties imposed over the past year varies greatly: Google was fined EUR 50 million in France and at the other end of the scale is an Austrian company that was fined only EUR 5,280 for improper video surveillance. It is noteworthy that a large proportion of GDPR complaints have led to demands for corrective action without the imposition of a fine.
Irish law firm Nathan Trust follows GDPR complaints, warnings, penalties and sanctions closely and has summarized recent GDPR cases on its newsfeed.
More interesting GDPR knowledge
GDPR by the numbers: a great infographic for the first year of GDPR. Click on the picture.
See also the European Data Protection Board summary for the first year of GDPR.