View from Brussels: Data breach fines start to trend

GDPR was touted as the EU’s chance to get ahead of the curve on data regulation, by setting a rulebook that other countries could adopt, either to match the highest standards available or out of sheer necessity in order to do business in the single market.

Brussels has ambitions to be the ‘rule-maker’ rather than ‘rule-taker’ in every sector it regulates, be it data, climate, transport or electronics. First-mover advantage is more often than not worth its weight in gold.

However, the labyrinthine process of policy-making and deep-seated vested interests often allows others to steal a march on the EU and establish standards long before Brussels is able to get its act together. GDPR was largely an exception to that trend.

Aside from the extra burden the regulation imposes on companies, critics of GDPR have also alleged that the law allows national regulators too much wriggle-room, allowing them to let tech giants off the hook with small fines, so as not to scare off business.

Little Luxembourg blew that latter theory completely out of the water in July, when it issued a record €746m fine against Amazon, after its data authorities found the e-commerce titan guilty of GDPR breaches believed to be linked to advertising practices.

Amazon has its EU headquarters in Luxembourg so it is a significant blow against the firm, which has indicated it intends to appeal the decision.

Considering that the previous record fine was a ‘mere’ €50m meted out by France against Google, it is a clear indication that Europe is going to start reining in tech companies by using GDPR and the EU’s e-Privacy directive as the means to do it.

GDPR, after all, is not the only weapon in the regulatory arsenal. France’s regulator doled out fines of €100m and €35m to Google and Amazon, respectively, last year, citing inadequate cookie policies as the reason behind the penalties.

Luxembourg is not the leader when it comes to the number of fines, though. That accolade goes to Spain, which has handed down 275 penalties in three years, while Italy and Romania also top the table with 76 and 61 sanctions, respectively.

The number of fines may soon increase, as the EU’s top court ruled in June that countries can launch cases in other members of the bloc where there is a case of legitimate urgency.

That was a reaction to Ireland’s claim that it could not keep up with the sheer volume of privacy complaints being made, owing to the number of big tech companies that have their HQs on Irish territory.

It is not just national authorities that are starting to crack down on bad practice. A data protection watchdog for the German city of Hamburg insisted this week that Zoom, the video-conferencing platform made infamous by lockdowns, allegedly breaches GDPR.

The city’s data protection commissioner, Ulrich Kühn, said in a statement that using Zoom “is associated with the transmission of personal data to the US” and warned Hamburg’s senate not to use the platform.

Zoom says that its services are GDPR-compliant and it remains to be seen whether the Hamburg watchdog will pursue the matter further or if other regulators will scrutinise companies like Zoom more closely in the coming months and years.

This willingness to enforce the rules could have a positive impact elsewhere in EU lawmaking. If countries start to twig that rules made in Brussels actually carry proper clout, they may be more willing to play fairly.

EU penalties or 'infringement procedures' are somewhat of an unfunny joke in Brussels, as the European Commission, the bloc’s executive branch, has to fulfil a long list of criteria before referring a country to the EU’s top court.

Cases often last several years before coming to a close, by which time most people have forgotten what the dispute was about and, in some instances, new rules have superseded the original set.