Analysis: completed cross-border GDPR enforcement
The European Data Protection Board published a public register of all completed GDPR cross-border cases yesterday – approximately two years after the regulation came into force. It offers a unique look into the European cross-border enforcement landscape.
GDR crunched the numbers to bring you the key takeaways – including the matters that have attracted enforcers’ attention, and how regulators have concluded their investigations.
The data has some flaws: because of national legal restrictions, none or only some of the decisions from regulators in three German states, Lithuania, the Netherlands and Spain are available on the register. But it still shows companies and their advisers what matters have attracted international enforcement, and how regulators have taken action against potential GDPR infringements.
For lawyers advising internationally, it is important to know which jurisdictions are busiest. The chart below shows which authorities have completed the most cases for which they are either the lead authority or concerned authority. As usual, the numbers are skewed towards Germany – GDR collated figures from all German state authorities and the country’s federal authority together for the purposes of this analysis.
French authority CNIL, meanwhile, has completed the second-most cross-border cases for which it is lead authority.
The following visualisation shows the most common legal issues involved in completed cross-border cases, according to the EDPB’s data. It seems noteworthy that some of the most common issues relate to data subjects’ rights – with transparency matters also coming up regularly.
The EDPB’s register also provides details of the outcomes in each case. GDR has measured outcomes in cases involving the five most-cited legal issues, to give an idea of the likely conclusion of cross-border cases involving the most common GDPR matters.
The following shows the outcomes in all completed cross-border GDPR cases so far. Fines are seemingly quite rare: the most likely outcome is a finding that there was no violation.
Finally, the chart below shows the number of times completed cross-border GDPR cases involved keywords chosen by the EDPB – hopefully providing an idea of the most risky areas for businesses in terms of data protection.
Previous analysis by GDR of European Data Protection Board figures highlighted a lack of resources at data protection authorities across the continent – but also found a trend of increasing budgets as enforcement of the landmark data protection regime becomes more important.