At Aite-Novarica Group we have covered the evolution and complexity of data privacy requirements. In January 2020 one of our top 10 trends in cybersecurity for 2020 was “additional complexity is associated with data and privacy requirements.” In that report, I wrote about the EU General Data Protection Regulation (GDPR) and noted that “… the individual EU country data supervisory authorities recruited heavily to fill open data protection and enforcement positions in 2019 and will likely see a marked increase in enforcement actions in 2020.” Well, we did see some notable GDPR enforcements in 2020 (Google was fined US$56.6 million and clothing company H&M was fined US$41 million), but nothing anywhere close to the eye-watering fine of US$888 million that Luxembourg’s Data Protection Authority (CNPD) announced on July 16, 2021, it would fine Amazon for unspecified GDPR violations. In fact, Amazon’s levy is more than double all previously reported GDPR fines since the May 2018 effective date. Amazon will certainly appeal and will likely not have to pay the full amount, much as British Airways was able to reduce its levy from US$230 million to US$26 million due to COVID-19 business challenges. Still, the CNPD’s announcement is a clear shot over the bow that portends additional big GDPR headlines soon.
In March 2021, Aite-Novarica Group continued our coverage of privacy complexity and the implications for noncompliance with regulations such as GDPR. That report included some key extracts from the European Privacy Board’s 43rd Plenary Session on December 15, 2020. The plenary report noted that GDPR enforcement was one of the board’s key strategy pillars and that the emphasis would shift from helping organizations comply with GDPR to a step-up in enforcement actions and fines in 2021 and 2022. It looks like the Amazon fine demonstrates that strategy.
I’ve seen many executives scoff at the GDPR maximum fine of up to 4% of global annual turnover. Many expressed that the Europeans had limited jurisdiction in the U.S. and little appetite for litigation. Some organizations elected to do the bare minimum for GDPR compliance or just brush away parts of GDPR’s scope as not applicable to their companies. Other organizations took GDPR seriously and invested in people, programs, and tools to track and protect data collected and processed on European citizens. Amazon won’t go broke with a nearly US$1 billion fine (that is about the profit made during the last Prime Day), but a GDPR levy could wreak havoc on less cash-rich companies.
It’s time to take another look at GDPR and assess your data protection and privacy program. GDPR and other similar requirements, such as California’s Privacy Rights Act and various national mandates, are not going to magically disappear. For GDPR, if your organization is doing business in Europe, marketing to EU citizens, or collecting/processing data on those citizens, examine GDPR through the lens of “no more Mr. Nice Guy.” If you need to automate the various processes related to privacy compliance, it’s time to look at privacy tools and products that have matured since 2018 when GDPR came into force. At any rate, take GDPR and other privacy mandates seriously, and be ready to demonstrate compliance.
Add new comment