Earlier this year, in the run-up to the General Data Protection Regulation’s (“GDPR”) May 25, 2018 date of application, a major question for stakeholders was how zealously the GDPR would be enforced.  Now, as the GDPR approaches its six-month birthday, an answer to that question is rapidly emerging.  Enforcement appears to be ramping up significantly.  In this post, we set out some of the most prominent regulatory enforcement developments so far — but bear in mind other investigations are also proceeding.

  • In late October, the UK Supervisory Authority (“ICO”) served an enforcement notice on AggregateIQ Data Services (“AIQ”) that required erasure of all personal data held by AIQ that related to UK individuals.  The notice also specifies that if AIQ does not comply, the ICO would impose the maximum GDPR penalties of €20 million or 4% of AIQ’s total annual worldwide turnover, whichever is higher.
  • In early October, the Irish Supervisory Authority (“DPC”) announced an investigation into Facebook for a potential data breach.
  • In mid-September, the Austrian Supervisory Authority (“DSB”) issued a fine of €4,800 under the GDPR to an entrepreneur who reportedly installed a CCTV camera that recorded a significant portion of public pavement beyond their business premises.  The DSB also recently disclosed that over 100 fine proceedings were underway, and that it had received over 700 complaints (the first, we understand, was received from the well-known privacy activist, Max Schrems).
  • In mid-July, the Portuguese Supervisory Authority (“CNPD”) fined a hospital €400,000 for breaching the GPDR, reportedly for failing to prevent hospital staff from using false profiles to access patient data.  (We provide more information on this fine, which may be under appeal, on our blog here.)
  • In mid-July, the Italian Supervisory Authority (“Garante”) served an enforcement notice on two companies (Faiella Nicola Srl and Visirun SpA) in relation to location monitoring systems used in company vehicles.  In particular, the Garante required the companies to take further steps to ensure compliance with the GDPR, including that the companies must (i) provide monitored employees with an option of deactivating the monitoring system during their break periods and outside of working hours; (ii) install an informational sticker to the window of each vehicle with the system; and (iii) ensure only small numbers of employees are permitted to access the relevant location data.
  • In late June, the French Supervisory Authority (“CNIL”), issued warnings to two companies, Teemo and Fidzup, for issues connected with their provision of platforms to mobile apps that enabled targeted advertising through the use of location data.  (We provided more in-depth information on this development on our blog here.)