Dive Brief:

• Member states of the European Union increased their budgets by 49% and staffing by 42% between 2016 and 2019, for all national data protection authorities, according to a report published by the European Commission in regards to the General Data Protection Regulation (GDPR). 
• To accommodate companies with consumers across borders, GDPR regulators established a "one stop shop" governance system so an entity only has "one data protection authority as interlocutor," according to the report. Since GDPR's 2018 enactment, 141 draft decisions and 79 final decisions were made through the "one stop shop." 
• The majority of EU citizens, 60%, are aware of their right to access personal data collected by public administrations, according to a survey from the European Union Agency for Fundamental Rights. However, only half of citizens are aware their rights extend to private companies.

Dive Insight:

The European Commission's report is a testament to the progress GDPR has made in terms of consumer data privacy rights. The report is also evidence that there are areas for improvement — namely giving the regulation some teeth.

As watchdogs bulk up budgets and staff to respond to more infringements, a degree of consistency should follow, Aaron Tantleff, partner in Foley's Privacy, Security and Information Management & Technology Transactions and Outsourcing Practices, told CIO Dive. "Based solely on my own experiences … when a penalty is issued, they are smaller in nature if the organization is the party that alerts the supervisory authority," as opposed to the authority finding out by other means. 

While, COVID-19 has contributed to a decline in investigations, companies shouldn't expect 2020 to be clear of enforcement, he said. Just because fines haven't been as robust as anticipated, the side effects of GDPR are evident: "Curtail behavior that society deems unacceptable." 

As a result of GDPR and impending legislation in the U.S., such as the California Consumer Privacy Act, businesses have invested millions in data protection. "This is an investment that would not have happened but for the GDPR," said Tantleff.

Regulators historically cite budgets as a reason they can only pursue so many infringements. There was a boost of regulatory activity in 2019, but "penalties handed out have generally been smaller than what many had anticipated," said Tantleff. "The potential for significant fines remains, but what's been handed down has hardly been viewed as overbearing." 

Some member states have been more aggressive in their pursuit of infringements, while others have yet to issue a fine. Between GDPR's May 2018 enactment and January, 28 EU member states reported upwards of 160,000 breach notifications. With the exception of penalties handed down by the UK's ICO, during that time frame, data privacy watchdogs issued $126 million in fines. Research suggests that there shouldn't be an expectation of "low and infrequent" fines. 

The public sector, media, telecommunications and utilities lag the most in GDPR compliance. Companies issued the heaviest fines under GDPR include:

• British Airways ($230 million) and Marriott International ($124 million) by the United Kingdom's Information Commissioner's Office (ICO)
• Google ($57 million) by France's National Data Protection Commission

Google's penalty, issued in January 2019, was hailed as the first "game-changing" fine of GDPR. Regulators claimed the advertising company failed to appropriately relay what consumer data it collected, how long it was stored, and insufficiently gathered consent.