First significant GDPR fines in the pipeline
The European Data Protection Supervisor, Giovanni Buttarelli, says that we can expect to see DPAs take enforcement action soon, Buttarelli told Reuters in an interview:
“I expect [the] first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum.”
“The fine is relevant for the company and important for … public opinion, for consumer trust. But from an administrative viewpoint, this is just one element of … global enforcement,” Buttarelli said.
He said the sanctions will be imposed in many EU countries and will hit many companies and public administrations but declined to provide details because investigations were still ongoing.
Austria has issued its first fine under the GDPR for an organisation that had installed a CCTV camera in front of their establishment but which also recorded images from a large part of the pavement. The DPA issued a moderate fine, 4,800 Euros. Large-scale monitoring of public spaces is not permitted under the GDPR.
In the UK, the ICO has issued a notice to a Canadian data analytics company, AggregateIQ Data Services Ltd, as part of its ongoing investigation into using personal data for analytics and advertising, especially in the context of elections. The ICO has asked the company to stop using EU citizens’ personal data for analytics and advertising. Failure to comply could result in a fine of up to 4% of the company’s annual turnover. AggregateIQ has appealed the notice to the UK’s First-tier Tribunal for Information Rights.