2019 in data: enforcement
The GDPR was the main story of 2019 – the groundbreaking European data protection law was easily the biggest issue that companies and their advisers had to deal with.
After a relatively quiet 2018, enforcement truly kicked off in 2019. Below, you’ll find some of GDR’s best of the EU’s regulators getting stuck in. But the GDPR isn’t everything: we also bring you highlights of other regulatory enforcement around the world, as watchdogs of all shapes and sizes turned their attention to corporate data.
Google ordered to pay first multi-million GDPR fine
By Tom Webb and Vincent Manancourt, 21 January
France’s data protection authority fined Google €50 million, saying the company violated the GDPR’s transparency requirements and failed to obtain valid consent from millions of users.
Bisnode receives first Polish GDPR fining decision over scraped data
By Tom Webb, 27 March
Poland’s Personal Data Protection Office fined data analytics company Bisnode for a GDPR infringement that it said affected more than 6 million people.
Facebook rejects Canadian regulators’ recommendations
By Tom Webb, 26 April
The Office of the Privacy Commissioner of Canada vowed to take Facebook to court, after the company declined to implement changes to its data privacy programme in the wake of the Cambridge Analytica scandal.
Belgian Facebook enforcement heads to ECJ
By Sam Clark, 9 May
The Brussels Court of Appeal referred regulatory action relating to Facebook to the European Court of Justice, asking it to clarify which data protection authorities can take companies to court over cross-border data-processing issues.
Danish authority proposes fine for retention failures
By Bronte Cullum, 11 June
Denmark’s data privacy enforcer proposed its largest GDPR fine yet for a furniture store’s failure to implement and enforce a data retention policy.
Spanish football league to challenge GDPR penalty
By Bronte Cullum, 12 June
Spain’s data protection watchdog has ordered La Liga to pay a €250,000 penalty for allegedly spying on users of its mobile app without their consent – but the league is set to appeal against the fine.
Proposed £183 million fine for British Airways emboldens claims groups
By Vincent Manancourt, 8 July
The UK Information Commissioner's Office announced its intention to impose the largest GDPR fine to date on British Airways over a data breach that occured in 2018, emboldening claimants seeking to have legal action against the carrier greenlighted by the courts.
FTC splits along party lines over Facebook decision
By Ken Silva and Vincent Manancourt, 24 July
After weeks of speculation, the US Federal Trade Commission confirmed a $5 billion settlement with Facebook over the Cambridge Analytica scandal – but the regulator’s two Democratic members said the settlement didn’t go far enough.
Class action negotiations underpinned $700 million Equifax penalty
By Ken Silva, 29 July
The US multi-regulator $700 million Equifax data breach settlement was reached in large part due to the efforts of lawyers representing plaintiffs in a class action lawsuit against the credit reporting agency.
Hamburg regulator bans Google from listening to smart speaker audio
By Sam Clark, 2 August
In a move seen by some as the German regulator expressing its dissatisfaction with the Irish authority’s oversight of big tech, the Hamburg data authority triggered an as-yet-unused GDPR provision to circumvent Google’s lead EU authority in banning the company from listening to audio recorded off its smart speaker customers.
Facebook did little to investigate Cambridge Analytica despite employee warnings
By Ken Silva, 23 August
Facebook did little to investigate concerns raised by an employee in September 2015 that Cambridge Analytica could be scraping its users’ data to target US voters, according to internal Facebook emails obtained by GDR from the Washington, DC, attorney general.
Poland hits shopping site with its largest GDPR fine to date
By Robert Hart, 12 September
Poland’s data watchdog fined the shopping site morele.net around €650,000 for a data breach it claims affected more than 2 million people.
CNIL cookie guidelines grace period upheld
By Tom Webb, 17 October
France’s highest administrative court refused to overturn the French data regulator’s decision to delay the implementation of its new, stricter cookie guidelines.
EDPS to issue stop-processing order
By Vincent Manancourt, 23 October
The European Data Protection Supervisor is planning to order an EU agency to stop processing data.
ICO settles with Facebook in Cambridge Analytica case
By Sam Clark, 30 October
The UK Information Commissioner’s Office reached a settlement with Facebook over an investigation into the company’s role in the Cambridge Analytica scandal, in a decision that may allow the company to fight future litigation more vigorously.
Berlin targets privacy by design for first multi-million euro fine
By Vincent Manancourt, 5 November
Berlin’s data protection authority fined German realtor Deutsche Wohnen €14.5 million for infringing GDPR privacy by design and data-minimisation rules.
UK regulated firms risk enforcement for failure to perform e-marketing data due diligence
By Alex Pugh, 6 December
A court's decision to uphold a fine in the financial services sector over a failure to properly scrutinise data a company bought from third parties acts as a warning to regulated firms that they must conduct proper due diligence when acquiring data assets.
ICO readies another enforcement case
By Tom Webb, 9 December
The UK’s data watchdog is at an advanced stage of at least three GDPR enforcement proceedings, GDR has learned.
German telco to appeal multimillion-euro GDPR fine
By Sam Clark, 10 December
Telecommunications company 1&1 has vowed to fight a €9.5 million GDPR fine levied against it by Germany’s federal data protection regulator.
Polish court upholds Bisnode decision but dismisses fine
By Alex Pugh, 16 December
A Polish court upheld the country’s first GDPR enforcement action – but overturned the fine and ordered a recalculation.
Google fights Australian location data enforcement
By Tom Webb, 18 December
Google denied an Australian watchdog’s “artificial and incorrect” allegations that it misled consumers about its collection and use of location data.
FTC faces rare Privacy Shield appeal
By Ken Silva, 19 December
Nevada-based RagingWire Data Centers moved to have a US Federal Trade Commission Privacy Shield complaint dismissed, calling the enforcement action a “waste of FTC resources, this court’s time, and RagingWire’s resources”.
Schrems II advocate-general recommends upholding SCCs
By Sam Clark, 19 December
A European Court of Justice advocate-general’s opinion in Schrems II argued that standard contractual clauses should remain in force – but that companies and regulators must check that the contracts actually protect data, and that the EU-US Privacy Shield could be invalid.