Since GDPR came into force, there has been a steady increase in fines issued. Ireland’s Data Protection Commissioner has yet to issue a fine. However, with a number of investigations into multinational tech companies, there may be fines on the horizon.
Most fines issued by other supervisory authorities were due to a breach of Article 5 of the GDPR, ‘Principles relating to processing of personal data’. This was followed by breaches of Article 6, ‘Lawfulness of processing’ and finally, Article 32,‘Security of processing’.
Recently, the Information Commissioner's Office in the UK fined DSG Retail Limited £500,000 after a 'point of sale' computer system was compromised as a result of a cyber-attack. Additionally, a UK pharmacy, Doorstep Dispensaree, has been fined £275,000 for “careless” storage of patient data.
The top ten biggest GDPR fines combined amount to €411.7 million. The largest fine was to British Airways. The airline was fined €204.6m (£182m) for a large data breach due to a cyber hack.
As enforcement activity picks up across the EU, it is important for organisations to implement and monitor their Data Privacy Strategy.
India has proposed its first major law on the use and control of its citizens’ personal data, a controversial piece of legislation that will restrict how companies can manage sensitive information while giving government authorities broad powers to access it.
As facial recognition becomes more prevalent, there is an increased need for regulation over its use. The European Commission is planning regulation that will give EU citizens explicit rights over the use of their facial recognition data as part of an overhaul in the way Europe regulates artificial intelligence.
The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. Companies have already responded by updating privacy policies promising ‘more transparency’. There is uncertainty around a new right allowing consumers to ban companies from selling their data on to third parties. However, companies have time to adapt as enforcement will not begin until July 2020.
In anticipation of the CCPA, the US Congress is renewing discussion of a possible comprehensive federal data privacy law. On December 4, a US Senate Committee held a hearing focused on developing a framework for consumers to exercise control over the data that companies collect by providing them with access, deletion and portability rights, and the extent to which a federal law should pre-empt state privacy laws such as the CCPA.
If you have any related questions or need further information, please get in touch with Michael Daughton or Tom Hyland of our Risk Consulting practice.