After Meta received a mammoth €1.2 billion penalty for data protection failures last month, we suggested that this could be a turning point for GDPR (General Data Protection Regulation) enforcement.
As we wrote, organisations have had time to embed the Regulation’s rules in their systems, meaning that authorities could shift their emphasis from compliance guidance to enforcement.
Andrea Jelinek, the chair of the EDPB (European Data Protection Board), suggested as much during a recent panel discussion at the IAPP 2023 Global Privacy Summit.
“When we started from scratch we had to give guidance because everyone wanted to have guidance because the elephant in the room in 2018 was the GDPR.” Now that we’re half a decade into that journey, she believes organisations “have to show that they’re compliant and if they’re not, they will be fined”.
Days after we made our prediction, Ireland’s DPC (Data Protection Commission) told LinkedIn that it planned to fine the platform almost €400 million. So, could we really be in store for an influx of large-scale GDPR penalties?
LinkedIn braces for fine
A potential GDPR fine has been hanging over LinkedIn for some time. The DPC confirmed in 2018 that it had received complaints about the professional networking site – just months after the Regulation took effect – and that an investigation was underway.
However, as has become standard practice for the DPC, the investigation was drawn out as the data protection authority became inundated with other complaints.
Ireland, more so than other EU countries, faces this problem because it’s the European home to many tech giants, including Google, Meta and Microsoft, the latter being LinkedIn’s parent company.
As a result, the DPC has overseen some of the biggest and most complex regulatory investigations, many of which remain unresolved.
Such is the scale of the backlog that EU officials have suggested a change in the way that regulatory investigations are conducted.
Despite the criticisms, the DPC has been among the most active in taking GDPR enforcement action and is responsible for five of the six largest penalties issued in the Regulation’s five-year history – including the landmark Meta fine.
The reported fine against LinkedIn would be another feather in the DPC’s cap, although it won’t be happy about the way it was reported. The authority is yet to make a statement announcing the penalty, with the news being broken by Microsoft in the investor relations section of its website.
A legal battle awaits
Microsoft said it had been told of the DPC’s intent to fine the organisation in April, and it has begun making plans to steady its financial status before a formal charge.
“After review and analysis, the company will increase its existing reserve for the matter and, based on current exchange rates take a charge of approximately $425 million in the fourth quarter of fiscal year 2023,” Microsoft said.
Despite widespread reporting on the fine, it’s worth emphasising that this is far from a done deal. For a start, the DPC is yet to confirm the fine or how large it will be. The €398 million figure that’s being estimated is based on Microsoft’s preparations, and it is subject to change.
There is no set timeline for when the DPC will issue its final decision, and there remains the possibility that its ruling will be challenged by EU lawmakers – as has happened in several previous cases.
In one instance earlier this year, the EDPB intervened in a DPC investigation into Meta (separate from the one that led to the €1.2 billion fine) after it disagreed with the data protection authority’s decision on the legality of Meta’s legal basis for processing personal data.
Eventually, the DPC overturned its original decision and issued Meta a €390 million fine.
Even if Meta and the EDPB agree on a penalty, Microsoft said it “intends to dispute the legal basis for, and the amount of, the proposed fine and will continue to defend its compliance with GDPR”.
It added that, upon receiving a final decision, it will “consider all legal options and intends to defend itself vigorously in this matter”.
Reflect – review – refresh
Whatever your current GDPR practices look like, it’s important to remember that GDPR compliance is an ongoing process.
To ensure you continue to meet your data processing obligations, you need to regularly reflect on the requirements that affect your organisation, review your data processing activities and then refresh your compliance programme accordingly.
IT Governance has been at the forefront of GDPR compliance solutions since it was introduced. In the past five years:
- More than 4,000 people have taken our GDPR training courses;
- We’ve delivered GDPR staff awareness training to more than 78,000 people;
- We’ve provided GDPR consultancy to more than 750 organisations; and
- Hundreds of organisations have bought our GDPR books, documentation templates and toolkits.
If you need to update your GDPR compliance activities to ensure you still meet your obligations, we have everything you need.