European Union

EU Data Privacy Fines Are Getting Steep. Will This Be the New Normal?

And will the end result encourage companies to try to keep cybersecurity breaches secret?


For some data activists, the General Data Protection Regulation (GDPR) has so far been kind of a dud. They hoped the EU's mammoth data privacy rules would bring largely-foreign tech giants to heel with complex requirements and steep fines.

Instead, the GDPR has mostly ended up being the "Google Data Protection Regulation," because the big guys can handle compliance hurdles better than everyone else. Other than one rousing anti-Google effort from the French, EU member nations have largely targeted small fish, including a small Austrian business whose security cameras captured "too much public space" (earning a €4,800 rebuke—$5,400 in U.S. currency) and a tardy Bulgarian firm that dragged its feet in responding to an employee's data request (to the tune a cool €500).

There have been a handful of more substantial actions as well. One pretty bonkers incident involved the soccer league La Liga allegedly sussing out which sports bars were pirating soccer matches by hijacking app user microphones. The Spanish Data Protection Agency said ¡basta ya! and slapped a quarter-million euro fine on the supposed soccer snoopers. (La Liga denies the allegations and is appealing.)

But in general, when you browse the unofficial databases of GDPR enforcement actions, you'll find a lot of snoozers.

A recent report by the law firm DLA Piper bears this out. It finds that there were some 59,000 publicly disclosed data breaches within the EU over the past year. Of these, only 41,502 made it as official EU-reported data breaches. But EU member states have only acted on 91 incidents, like the one involving our over-zealous Austrian company from earlier.

The researchers believe that EU member states are simply ill-equipped to manage the regulatory task at hand. Before the GDPR took effect, there were reports that many data protection authorities were ignorant of what "compliance" would even look like. It's not surprising that they would be slow on the bureaucratic uptake a year later.

This appears to be changing. Last week, the UK's Information Commissioner's Office (ICO) announced two major fines against alleged GDPR offenders.

First, British Airways was hit with a record-setting £183 million fee ($229 million U.S.) for a website vulnerability that redirected some half a million visitors to a fraudulent website in June of 2018. Personal data of the duped victims were apparently exposed to the fraudsters.

The beleaguered airline's CEO was surprised by the action, as the company has found no evidence that any fraudulent activity resulted from the breach. Furthermore, he says British Airways worked closely with the ICO to make security improvements following the breach. Tough break old chap, but I suppose the ICO only has so long to exercise its GDPR authorities until Brexit (maybe?) comes to wreck it all.

The U.S.-owned Marriott International was the next domino, facing a £99-million penalty ($124 million U.S.) for an incident of which the hotel chain notified the ICO last November. The Starwoods hotel group, which Marriott eventually purchased, suffered a system compromise in 2014. (The ICO press release does not mention numbers, but it's estimated that some 327 million customers were impacted.) Marriott later acquired Starwoods in 2016, but did not learn of the vulnerability until 2018, after which the company informed the ICO.

Despite this seeming good faith effort to work with regulators, the ICO still brought the book down on Marriott. The UK's data regulator ruled that Marriott "failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems." Of course, all of this occurred years before the GDPR even took effect, but no matter.

Right away, it's noteworthy that neither of these firms are "technology companies," strictly speaking. While British Airways and Marriott are major firms with all the attendant technological infrastructure needed to power its enterprises, they are not exactly who most people have in mind when they think about data privacy violations.

The GDPR was sold as a tool to tame the Googles and the Facebooks of the world. But law applies to any worldwide entity that "process[es] the personal data of data subjects who are in the Union," regardless of size or industry. No gamer is safe: this is why the humble virtual tabletop dice roller was forced to shutter its European doors on the eve of the GDPR rollout.

In truth, any company is fair game for GDPR enforcement. In regulating "data use," the GDPR is regulating basically everything.

And producing "evidence of consumer harm" is not necessarily a requirement to issue bank-breaking fees. The ICO statements did not clarify the specific fallout for victims in either case. Maybe the data are merely "exposed" but never actually gathered or used—a clearly different beast than a situation where people's personal data are used in fraud or surveillance. The mere fact that a breach occurred could be reason enough to try and bag the big game.

Why not? GDPR fines can make handsome contributions to national treasuries (victims do not by default receive any of the proceeds). There is a great incentive for data protection authorities to issue steep fines wherever they can. Companies will try to dispute the charges, and final penalties may settle at lower levels. But they will usually be greater than zero, so data enforcers will tend to aim high when possible.

The leaders of other data protection authorities are surely viewing these two British cases with interest. The floodgates have been opened and copycats will follow. It's free money. Most big companies have suffered some kind of data breach in the course of their long histories. If you look hard enough, you'll probably find one. The bigger the company, the greater the digital attack surface—and tantalizingly for regulators, the deeper the pockets.

Trying to proactively work with regulators does not seem to buy goodwill either. This sets another pernicious incentive. Companies may shy away from reporting such incidents in fear of an EU shakedown. Such cover-ups may be found out anyway, which would create a whole new set of problems for compromised firms. But maybe they wouldn't, and breaches that could have otherwise been responsibly handled may be simply swept under the rug.

It's an unfortunate state of affairs. Companies are incentivized to spend millions in search of "compliance," whether or not that translates to meaningful progress in data practices. They may be tempted to hide breaches to avoid onerous fines. And data enforcements are incentivized to shake down any company that finds itself misaligned with vague GDPR dictates, regardless of whether there was any demonstrable harm.

Welcome to the new normal of a post-GDPR world. It may keep lawyers busy and state coffers fuller, but it doesn't do much to promote the improvements on data privacy policies that advocates had hoped.

NEXT: Trump and Others Scared of Cryptocurrency Echo Earlier Fears About Cash

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Americans and American businesses mistakenly believed that they could take the leash off the internet and open up control to non-Americans companies and governments to continue a service based on relatively little control and freedoms of speech and press.

    We were all wrong.

    1. Not me. I saw it coming years ago. So all but one of us.

      1. I remember thinking it was a bad idea too.

        By “We”, I meant the people who think America is not the best country in the World.

  2. “authorities were ignorant of what “compliance” would even look like.”
    Bullshit. It looks like a piggy bank. They know that. They knew it when they passed the rules.
    Sooner or later some company is going have to grow a pair and just shut down Europe until the next election when the people put in guys to repeal the madness. is just not big enough.
    Surely all good socialists want what is best for individual freedom, right?

  3. European governments have exhausted their ability to raise taxes, and these new arbitrary fines are a politically palatable substitute.

    1. Which mirrors what US cities and towns are doing via pernicious code violation fines. Bureaucracies gotta bureaucrat.

  4. > Instead, the GDPR has mostly ended up being the “Google Data Protection Regulation,” because the big guys can handle compliance hurdles better than everyone else.

    That’s the whole point of regulations like this! To entrench the large existing players and protect them from competition! Duh!

    This is not a bug, it’s a feature. An intended feature by the people who wrote the regulations. That the media was an unwitting accomplice in telling the public that it was the opposite of what it was is sad, but not unexpected.

  5. Any decent InfoSec practitioner will tell you, “A breach is not a matter of ‘if’ but a matter of ‘when’.”

    Every company will be breached at some time. It is inevitable and unavoidable on a global platform. If you’re a global bank with branches in every country, it is inevitable that one of those physical locations will be robbed at some time. Same thing with a virtual storefront.

    GDPR functions as a revenue stream to the EU cabal; not as a protection mechanism. If socialists want to enable wealth transfer to the government, this is an excellent mechanism to do so.

  6. Taxes have been getting harder and harder to increase. Income tax rates in the EU are about as high as people can stomach; they’ve reached the point where what little discretionary income is left makes new taxes very much more noticeable.

    You can only raise “fees” so much before people begin to notice they have risen beyond what covers costs.

    Where else can governments get new revenue? Just as US cops have discovered asset forfeiture and pushed it past the point where backlash threatens to cut it off altogether, so have EU governments discovered that robbing US big tech companies with semi-legal $5B fines, but it too will have a backlash.

  7. Hold a sec….let’s remember the ideological framework articulated by EU regulators when GDPR was first discussed in the early 2000’s. One aspect, as I understand it, was ownership of one’s personal data, and more broadly, the autonomy of the individual to decide for themselves what their data could be used for, and only used by their expressed consent. This was one of the imperatives of GDPR.

    What GDPR eventually became fell far short of this broad goal. But some progress toward autonomy, consent, and ownership of one’s personal data has been made. In this sense, advancing our autonomy and ownership interest in our personal data is rather libertarian in orientation, no?

    As for the tax and penalty thing…c’mon, we are not that naive, are we? I have less concern about penalties than I do about taxation. The rules to apply penalties can be made simple and straightforward; the power to tax, never straightforward – politicians will dream up endless ways to extract money. I actually do think companies should be required to disclose, and be penalized. That is especially the case in medical records, financial transactions, and banking.

  8. having good policy notes is always safe like we have for our web the telegraph star

Please to post comments

Comments are closed.