The introduction of GDPR led to one of the biggest frenzies in corporate activity we’ve seen in quite some time. A lot of it quite unnecessary and hysterical, based on incomplete information and bad advice.
Sure, it was necessary to get ready for GDPR and to ensure that we were compliant. The really important point is that it still is.
But the tendency for some might be to think that GDPR came and GDPR went and the sky didn’t fall in and the world didn’t end and, well, nothing much happened.
Well, that is nothing much has happened yet.
But the absence of evidence is not evidence of absence.
At the time for writing in July 2019, we are still in the very early days of GDPR enforcement. We’ve known it was coming for over two years (the GDPR was actually passed into law in May 2016 but it was given a two-year lead time in order to enable businesses to get ready.) And so we have been told in no uncertain terms that, as there was such a long lead time, there would be no grace period and the law would be enforced in full from the outset.
But even then, legal enforcement isn’t something we are likely to see the results of overnight. It will take time before we will see the results of reported cases, and public reports of what penalties are likely to be imposed.
But that does not mean we can be complacent in the meantime.
How might non-compliance be handled by regulators?
So, to get an idea of what non-compliance with article 27 of the GDPR might look like we have to go back in time a little to a case involving WhatsApp.
WhatsApp were taken to task by the Dutch government under the Dutch laws that preceded GDPR which included a provision similar to article 27 which require a controller processing data on behalf of data subjects based in the Netherland to have a presence in that jurisdiction. WhatsApp didn’t.
The Dutch data protection authority issued WhatsApp with a compliance order an imposed a penalty of €10,000.00 for each day that they failed to comply. WhatsApps then appealed to the Dutch Administrative Court who ruled against them and so, presumably, they must have ended up with a hefty legal bill into the bargain.
That was back in 2016 and under the data protection laws that preceded GDPR. The really important thing to note here is that the GDPR strengthened and increased EU the system of fines for enforcement of data protection laws.
There are two tiers of administrative fines for the purposes of the GDPR.
Infringement of Article 27 itself, i.e. failing to appoint a representative in the first place, is subject to the first tier of administrative fines of up to €10,000,000 or up to 2% total worldwide annual revenue of the preceding financial year, whichever is higher.
Furthermore, while the failure to appoint a representative is in itself a breach of the GDPR, whether or not the business has appointed a representative is one of the factors to be taken in account in assessing the level of the second tier of administrative fines of up to €20,000,000 or up to 4% total worldwide annual revenue of the preceding financial year, whichever is higher, for more serious breaches of the GDPR. The degree of responsibility shown by the business in taking into account technical and organisational measures in its compliance with GDPR will be taken into account in assessing fines. Therefore, businesses that fail to appoint a representative not only face direct fines for failing to do so, but also face increased fines for other aspects of GDPR non-compliance. The risks here are very significant, and this includes businesses based in the USA or any other country outside of the EU.
Civil liability in addition to fines
Apart from fines, the GDPR introduces civil liability for businesses pursuant to which any person who has suffers material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the business for the damage suffered. The GDPR also introduces a type of class-action system where not-for-profit agencies can take legal action against businesses on behalf of groups of consumers.
Given the exposure to civil liability for breaches of GDPR one of the most important things that businesses should be doing now is to insure themselves against these risks. While cyber liability insurance may be used to mitigate these risks in business, it should be borne in mind that implicit in your upmost good faith insurance contract will be your obligation to comply with your legal requirements. If you have chosen not to appoint a GDPR representative for your business, you may be invalidating the very insurance that you are paying for to protect you against that risk in the first place.
So while the WhatsApp case is the closest thing to a precedent that we currently have in this area, the system of fines under GDPR is only likely to go one way, and that is up.
Now WhatsApp is owned by Facebook, and presumably, this kind of thing, while embarrassing, is relatively small beer for them in the grander scheme of things.
Could you say the same about your business?
Businesses based in the USA may find the following resources useful.
About the author
Flor McCarthy is the author of our guides to GDPR. Flor is one of Ireland’s leading lawyers and a recognised expert in marketing. He has particular expertise and hands-on practical experience in privacy, data protection and GDPR issues for marketers. He is certified by the Law Society of Ireland in Data Protection Practice and lectures lawyers on data protection practice and compliance. He is managing partner of a multi award winning niche legal practice. He has been in private practice for over 20 years and has been elected by his peers to sit on the exclusive Council of the Law Society of Ireland, the governing body for Irish lawyers.
Click here to return to the GDPR Compliance Hub.