Early GDPR Penalties: Analysis of Implementation and Fines Through May 2020

38 Pages Posted: 15 Dec 2020

See all articles by Josephine Wolff

Josephine Wolff

The Fletcher School of Law and Diplomacy, Tufts University

Nicole Atallah

Tufts University - The Fletcher School of Law and Diplomacy

Date Written: December 14, 2020

Abstract

The General Data Protection Regulation (GDPR) which went into effect in May 2018 enabled European Data Protection Authorities (DPAs) to fine companies up to 4 percent of their annual revenue in the event that they were found in violation of the regulations requirements for data collection, processing, and use. But the regulation gave DPAs considerable leeway to determine how they would implement these penalties. This paper analyzes 261 publicly available GDPR enforcement orders issued by DPAs during the first 24 months of the GDPR implementation. The findings show that most GDPR fines levied so far have been relatively small, many of them within the thresholds set by earlier laws prior to the GDPR. Additionally, only half of the GDPR Articles for which penalties are designated have actually resulted in public enforcement actions, and those fines that have been levied focus primarily on violations of five particular Articles, four of which pertain primarily to user privacy protections. However, despite the fact that most of the fines issued under the GDPR have been in response to privacy violations, the largest fines have been triggered by security incidents, and, on average, security violations still receive larger fines than privacy violations.

Keywords: GDPR, cybersecurity policy, information privacy

Suggested Citation

Wolff, Josephine and Atallah, Nicole, Early GDPR Penalties: Analysis of Implementation and Fines Through May 2020 (December 14, 2020). TPRC48: The 48th Research Conference on Communication, Information and Internet Policy, Available at SSRN: https://ssrn.com/abstract=3748837 or http://dx.doi.org/10.2139/ssrn.3748837

Josephine Wolff (Contact Author)

The Fletcher School of Law and Diplomacy, Tufts University ( email )

160 Packard
Medford, MA 02155
United States

Nicole Atallah

Tufts University - The Fletcher School of Law and Diplomacy ( email )

160 Packard
Medford, MA 02155
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
236
Abstract Views
753
rank
177,020
PlumX Metrics