The GDPR introduces some very high fines for violations, and for many countries in Europe this will be a major change. – In this context, it’s interesting to have a look at Spain, where the Data Protection Authority can already enforce fines of up to 600,000 EUR since several years.
Ricard Martinez of the Spanish Data Protection Association APEP wrote a very interesting article on the challenges that come with high privacy fines.
My key take-aways from his post are:
- The total annual amount of fines in Spain is between 15 to 20 mio EUR in the last decade.
- The majority of the sanctioned companies are in the telecommunications, video surveillance, and financial industries. Their relative share stays about the same year by year. – So the high fines do not appear to be a crucial deterrent.
- The legislator had to modulate the sanctions to balance the impact on small and medium enterprises. – It’s important that the DPAs harmonize around this before the GDPR becomes effective, as the overall effect might be unfair.
- The volume of complaints is steadily increasing from year to year. This has an impact on the ability of the DPA to take actions: The number of actual infringement statements is staying constant. – Any news on DPA actions seem to increase the volume of complaints further.
There’s much more information in Ricard Martinez’ post, and I encourage you to read more at http://www.phaedra-project.eu/the-challenge-of-the-enforcement-in-the-proposal-for-a-general-data-protection-regulation-2/