by Gabriel Avigdor

In February 2018, I shared some thoughts in an article titled: ‘3 months before the GDPR – what if you don’t comply? ‘, which intended to explain how the sanction regime under the GDPR may be applied by the data protection authorities (DPA), also indicating that fines may not be the only or preferred root for the authorities in case of non-compliance with Regulation (EU) 2016/679.

As many organizations are looking for answers on what may happen as of 25 May, here is an interesting infographic document designed by the IAPP showing that the approach to fines differs drastically from jurisdictions to jurisdictions.

And the attitude of data protection authorities is likely to have an impact on the way companies are taking the GDPR seriously or not, depending of where they are located, where they operate, offer goods and services, monitor data subjects’ behavior, in front of which data protection authority (DPA) data subjects may issue a complaint, etc.

Here are very different approaches taken from four different DPAs for the day after 25 May 2018:

• “there will be fines, and they will be significant…” (Helen Dixon, Irish DPA);
• make sure compliance is focused throughout the company, it is a strategic question and has to raise all levels of the company and obey to a strategic decision from the top (Isabelle Falque-Pierrotian, French DPA);
• “Voluntary compliance is still the preferred route, but we will back that up with tough action where it’s necessary” (Elisabeth Denham, British DPA); or
• “It’s not our first task to fine, it’s our first task to see if you’re compliant, and if you’re not compliant it will be a problem […]” (Andrea Jelinek, Austrian DPA)

These approaches are understandable if you think about what types of companies are located in which country. Many big players including the GAFAM have their data centers in Ireland and are known to have practices or services that have motivated regulators drafting the GDPR. While the French and British approaches seem to focus more on supporting compliance in a pragmatic way, the Austrian approach shows a more relaxed position, further from the Irish one. The naughty, supportive or more relaxed approach may also depend on each member States’ readiness, where a majority of them have not passed their legislative adaptation into their national laws.

You can track each national law exceptions to the GDPR country by country on this page.

Although many people are mentioning 26th of May as the date where effects of the GDPR will occur, the GDPR will apply as of 25 May 2018 (not 24 or 26). Probably 26 is mentioned as “the day after”, because it is probably unrealistic to think that any organizations will receive an audit request, or be contacted by authorities ont that famous day and it takes at least one day to send a letter… Maybe some DPAs have already prepared their letters, audit requests and joint forces for a massive GDPR assault on the data protection beach, but this would be pretty surprising.

Finally, the GDPR institutes a consistency mechanism (referenced in particular in Recitals 135, 136, 138, 150, + article 63 and following), aiming to promote cooperation and align authorities’ approches to the application of the Regulation. This mechanism shall seek, among other goals, for lead and supervisory authorities, the Board and the Commission, to work together for a consistent application of the GDPR, including “to promote a consistent application of administrative fines” (rec. 150). In the course of time, this mechanism and global cooperation with EU authorities may polish these very different approaches to fines. This being said, each country will remain free to tackle privacy issues according to its culture.

Future will tell…

—

By Gabriel Avigdor | NTIC