2019 in data: enforcement

The GDPR was the main story of 2019 – the groundbreaking European data protection law was easily the biggest issue that companies and their advisers had to deal with.

After a relatively quiet 2018, enforcement truly kicked off in 2019. Below, you’ll find some of GDR’s best of the EU’s regulators getting stuck in. But the GDPR isn’t everything: we also bring you highlights of other regulatory enforcement around the world, as watchdogs of all shapes and sizes turned their attention to corporate data.

Google ordered to pay first multi-million GDPR fine

By Tom Webb and Vincent Manancourt, 21 January

France’s data protection authority fined Google €50 million, saying the company violated the GDPR’s transparency requirements and failed to obtain valid consent from millions of users.

Bisnode receives first Polish GDPR fining decision over scraped data

By Tom Webb, 27 March

Poland’s Personal Data Protection Office fined data analytics company Bisnode for a GDPR infringement that it said affected more than 6 million people.

Facebook rejects Canadian regulators’ recommendations

By Tom Webb, 26 April

The Office of the Privacy Commissioner of Canada vowed to take Facebook to court, after the company declined to implement changes to its data privacy programme in the wake of the Cambridge Analytica scandal.

Belgian Facebook enforcement heads to ECJ

By Sam Clark, 9 May

The Brussels Court of Appeal referred regulatory action relating to Facebook to the European Court of Justice, asking it to clarify which data protection authorities can take companies to court over cross-border data-processing issues.

Danish authority proposes fine for retention failures

By Bronte Cullum, 11 June

Denmark’s data privacy enforcer proposed its largest GDPR fine yet for a furniture store’s failure to implement and enforce a data retention policy.

Spanish football league to challenge GDPR penalty

By Bronte Cullum, 12 June

Spain’s data protection watchdog has ordered La Liga to pay a €250,000 penalty for allegedly spying on users of its mobile app without their consent – but the league is set to appeal against the fine.

Proposed £183 million fine for British Airways emboldens claims groups

By Vincent Manancourt, 8 July

The UK Information Commissioner's Office announced its intention to impose the largest GDPR fine to date on British Airways over a data breach that occured in 2018, emboldening claimants seeking to have legal action against the carrier greenlighted by the courts.

FTC splits along party lines over Facebook decision

By Ken Silva and Vincent Manancourt, 24 July

After weeks of speculation, the US Federal Trade Commission confirmed a $5 billion settlement with Facebook over the Cambridge Analytica scandal – but the regulator’s two Democratic members said the settlement didn’t go far enough.

Class action negotiations underpinned $700 million Equifax penalty

By Ken Silva, 29 July

The US multi-regulator $700 million Equifax data breach settlement was reached in large part due to the efforts of lawyers representing plaintiffs in a class action lawsuit against the credit reporting agency.

Hamburg regulator bans Google from listening to smart speaker audio

By Sam Clark, 2 August

In a move seen by some as the German regulator expressing its dissatisfaction with the Irish authority’s oversight of big tech, the Hamburg data authority triggered an as-yet-unused GDPR provision to circumvent Google’s lead EU authority in banning the company from listening to audio recorded off its smart speaker customers.

Facebook did little to investigate Cambridge Analytica despite employee warnings

By Ken Silva, 23 August

Facebook did little to investigate concerns raised by an employee in September 2015 that Cambridge Analytica could be scraping its users’ data to target US voters, according to internal Facebook emails obtained by GDR from the Washington, DC, attorney general.

Poland hits shopping site with its largest GDPR fine to date

By Robert Hart, 12 September

Poland’s data watchdog fined the shopping site morele.net around €650,000 for a data breach it claims affected more than 2 million people.

CNIL cookie guidelines grace period upheld

By Tom Webb, 17 October

France’s highest administrative court refused to overturn the French data regulator’s decision to delay the implementation of its new, stricter cookie guidelines.

EDPS to issue stop-processing order

By Vincent Manancourt, 23 October

The European Data Protection Supervisor is planning to order an EU agency to stop processing data.

ICO settles with Facebook in Cambridge Analytica case

By Sam Clark, 30 October

The UK Information Commissioner’s Office reached a settlement with Facebook over an investigation into the company’s role in the Cambridge Analytica scandal, in a decision that may allow the company to fight future litigation more vigorously.

Berlin targets privacy by design for first multi-million euro fine

By Vincent Manancourt, 5 November

Berlin’s data protection authority fined German realtor Deutsche Wohnen €14.5 million for infringing GDPR privacy by design and data-minimisation rules.

UK regulated firms risk enforcement for failure to perform e-marketing data due diligence

By Alex Pugh, 6 December

A court's decision to uphold a fine in the financial services sector over a failure to properly scrutinise data a company bought from third parties acts as a warning to regulated firms that they must conduct proper due diligence when acquiring data assets.

ICO readies another enforcement case

By Tom Webb, 9 December

The UK’s data watchdog is at an advanced stage of at least three GDPR enforcement proceedings, GDR has learned.

German telco to appeal multimillion-euro GDPR fine

By Sam Clark, 10 December

Telecommunications company 1&1 has vowed to fight a €9.5 million GDPR fine levied against it by Germany’s federal data protection regulator.

Polish court upholds Bisnode decision but dismisses fine

By Alex Pugh, 16 December

A Polish court upheld the country’s first GDPR enforcement action – but overturned the fine and ordered a recalculation.

Google fights Australian location data enforcement

By Tom Webb, 18 December

Google denied an Australian watchdog’s “artificial and incorrect” allegations that it misled consumers about its collection and use of location data.

FTC faces rare Privacy Shield appeal

By Ken Silva, 19 December

Nevada-based RagingWire Data Centers moved to have a US Federal Trade Commission Privacy Shield complaint dismissed, calling the enforcement action a “waste of FTC resources, this court’s time, and RagingWire’s resources”.

Schrems II advocate-general recommends upholding SCCs

By Sam Clark, 19 December

A European Court of Justice advocate-general’s opinion in Schrems II argued that standard contractual clauses should remain in force – but that companies and regulators must check that the contracts actually protect data, and that the EU-US Privacy Shield could be invalid.

Unlock unlimited access to all Global Data Review content