2019 in data: enforcement
The GDPR was the main story of 2019 – the groundbreaking European data protection law was easily the biggest issue that companies and their advisers had to deal with.
After a relatively quiet 2018, enforcement truly kicked off in 2019. Below, you’ll find some of GDR’s best of the EU’s regulators getting stuck in. But the GDPR isn’t everything: we also bring you highlights of other regulatory enforcement around the world, as watchdogs of all shapes and sizes turned their attention to corporate data.
By Tom Webb and Vincent Manancourt, 21 January
France’s data protection authority fined Google €50 million, saying the company violated the GDPR’s transparency requirements and failed to obtain valid consent from millions of users.
By Tom Webb, 27 March
Poland’s Personal Data Protection Office fined data analytics company Bisnode for a GDPR infringement that it said affected more than 6 million people.
By Tom Webb, 26 April
The Office of the Privacy Commissioner of Canada vowed to take Facebook to court, after the company declined to implement changes to its data privacy programme in the wake of the Cambridge Analytica scandal.
By Sam Clark, 9 May
The Brussels Court of Appeal referred regulatory action relating to Facebook to the European Court of Justice, asking it to clarify which data protection authorities can take companies to court over cross-border data-processing issues.
By Bronte Cullum, 11 June
Denmark’s data privacy enforcer proposed its largest GDPR fine yet for a furniture store’s failure to implement and enforce a data retention policy.
By Bronte Cullum, 12 June
Spain’s data protection watchdog has ordered La Liga to pay a €250,000 penalty for allegedly spying on users of its mobile app without their consent – but the league is set to appeal against the fine.
By Vincent Manancourt, 8 July
The UK Information Commissioner's Office announced its intention to impose the largest GDPR fine to date on British Airways over a data breach that occured in 2018, emboldening claimants seeking to have legal action against the carrier greenlighted by the courts.
By Ken Silva and Vincent Manancourt, 24 July
After weeks of speculation, the US Federal Trade Commission confirmed a $5 billion settlement with Facebook over the Cambridge Analytica scandal – but the regulator’s two Democratic members said the settlement didn’t go far enough.
By Ken Silva, 29 July
The US multi-regulator $700 million Equifax data breach settlement was reached in large part due to the efforts of lawyers representing plaintiffs in a class action lawsuit against the credit reporting agency.
By Sam Clark, 2 August
In a move seen by some as the German regulator expressing its dissatisfaction with the Irish authority’s oversight of big tech, the Hamburg data authority triggered an as-yet-unused GDPR provision to circumvent Google’s lead EU authority in banning the company from listening to audio recorded off its smart speaker customers.
By Ken Silva, 23 August
Facebook did little to investigate concerns raised by an employee in September 2015 that Cambridge Analytica could be scraping its users’ data to target US voters, according to internal Facebook emails obtained by GDR from the Washington, DC, attorney general.
By Robert Hart, 12 September
Poland’s data watchdog fined the shopping site morele.net around €650,000 for a data breach it claims affected more than 2 million people.
By Tom Webb, 17 October
France’s highest administrative court refused to overturn the French data regulator’s decision to delay the implementation of its new, stricter cookie guidelines.
By Vincent Manancourt, 23 October
The European Data Protection Supervisor is planning to order an EU agency to stop processing data.
By Sam Clark, 30 October
The UK Information Commissioner’s Office reached a settlement with Facebook over an investigation into the company’s role in the Cambridge Analytica scandal, in a decision that may allow the company to fight future litigation more vigorously.
By Vincent Manancourt, 5 November
Berlin’s data protection authority fined German realtor Deutsche Wohnen €14.5 million for infringing GDPR privacy by design and data-minimisation rules.
By Alex Pugh, 6 December
A court's decision to uphold a fine in the financial services sector over a failure to properly scrutinise data a company bought from third parties acts as a warning to regulated firms that they must conduct proper due diligence when acquiring data assets.
By Tom Webb, 9 December
The UK’s data watchdog is at an advanced stage of at least three GDPR enforcement proceedings, GDR has learned.
By Sam Clark, 10 December
Telecommunications company 1&1 has vowed to fight a €9.5 million GDPR fine levied against it by Germany’s federal data protection regulator.
By Alex Pugh, 16 December
A Polish court upheld the country’s first GDPR enforcement action – but overturned the fine and ordered a recalculation.
By Tom Webb, 18 December
Google denied an Australian watchdog’s “artificial and incorrect” allegations that it misled consumers about its collection and use of location data.
By Ken Silva, 19 December
Nevada-based RagingWire Data Centers moved to have a US Federal Trade Commission Privacy Shield complaint dismissed, calling the enforcement action a “waste of FTC resources, this court’s time, and RagingWire’s resources”.
By Sam Clark, 19 December
A European Court of Justice advocate-general’s opinion in Schrems II argued that standard contractual clauses should remain in force – but that companies and regulators must check that the contracts actually protect data, and that the EU-US Privacy Shield could be invalid.