GDPR - 2 years later

 May 25, 2020

As it is becoming a sort of tradition, here we are, after two years from the enactment of GDPR to see how it performs in the real world.

In our previous yearly check, we analyzed the situation from two points of view: the banners and the fines. Let’s see how those two topics have evolved in the last year.

The Cookie Banners

On the 1st of October 2019, with the judgment in case C-673/17, the European Union Court of Justice clarified that pre-ticketed consent checkboxes are not sufficient since the consent has to be expressed actively by the user. This requirement was clear to me since my initial approaches to the GDPR, since it was clear that this was the only way to respect the Regulation’s spirit. Still, it is very nice to see it stated explicitly by the European Union Court of Justice.

Aside from this good news, the situation is still pretty bad. In the Report by the (Irish) Data Protection Commission on the use of cookies and other tracking technologies, they affirm that “it is our view that almost all of the sites continue to have compliance issues, ranging from minor to serious”.

It is in work the update of the ePrivacy Regulation, and no update has been published in a while. I guess the COVID-19 situation is the root cause of this silence, but I think we will soon find out more about it.

Overall, on the banner side, we are very far from an ideal world, but that ideal world is more clearly defined.

Fines

In July 2019, I affirmed that huge privacy fines are good, now we need more of them in a blog post. In that blog post, I covered three major fines that were just announced. Of those, two were for GDPR violations.

As of today, around 250 GDPR related fines have been inflicted for a total of more than 468M€. The increase in these numbers is very high, compared to last year’s numbers (51M€ in 40 fines). Another positive point is the increase if the average fine amount from 1.28M€ to 1.87M€.

There are three fines I’d like to mention: the two to Eni (fine 1, fine 2) and the one to TIM (fine). I think those are important since those companies have a large share of stocks owned by the National Government (30%+ for Eni and 9%+ for TIM). Those are not the only case where public institutions have been fined, but are very significant due to the amounts (a total of 29.3M€). This should be a reminder for everyone, even publicly participated companies and public administrations, that they are not above the law when they manage personal information.

Overall, I think that from a fine point of view, we are starting to see more correct numbers.

Next year predictions

For the next year, I expect that the following thing will happen:

• the ePrivacy Regulation will be updated
• the number of fines and their average amount will increase

I do not expect the Cookie Banner situation to improve significantly, but I hope to be wrong.