Published data on the total amount of fines for violations of the regulations.
/ photo PD
Who published the report on the amount of fines
The General Data Protection Regulation will only turn one year old in May - but European regulators have already summed up the interim . In February 2019, a report on the results of the GDPR was released by the European Data Protection Board (EDPB), the body that monitors compliance with the regulation.
First fines under the GDPR low due to the unpreparedness of companies for the entry into force of regulation. Basically, violators of the regulations paid no more than a few hundred thousand euros. However, the total amount of penalties turned out to be quite impressive - almost β¬ 56 million. In the EDPB report, he also provided other information about the "relationship" of IT companies and their clients.
What does the document say and who has already paid the fine
During the period of the regulation, European regulators opened about 206 thousand cases of violation of the security of personal data. Almost half of them (94) are based on complaints from individuals. EU citizens can file a complaint about violations in the processing and storage of their personal data and apply to national regulatory authorities, after which the case will be investigated in the jurisdiction of a certain country.
The main topics that Europeans complained about were violation of the rights of the subject of personal data and consumer rights, as well as leakage of personal data.
Another 64 cases were opened following a data breach notification from the companies responsible for the incident. It is not known exactly how many of the cases ended in fines, but in total the offenders paid β¬864 million. information security experts, most of this amount will have to be paid by Google. In January 2019, the French regulator CNIL fined the IT giant β¬50 million.
Proceedings in this case lasted from the first day of the GDPR - a complaint against the corporation was filed by Austrian data protection activist Max Schrems. The reason for the dissatisfaction of the activist insufficiently precise wording in the consent to the processing of personal data, which users accept when creating an account from Android devices.
Prior to the IT giant's case, fines for non-compliance with the GDPR were significantly lower. In September 2018, a Portuguese hospital paid β¬400 for a vulnerability in the honey storage system. records, and β¬20 for a German chat application (customer logins and passwords were stored unencrypted).
What experts say about the regulation
Representatives of regulators believe that in nine months the GDPR has proven its effectiveness. According to them, the regulation helped draw the attention of users to the issue of the security of their own data.
Experts highlight some of the shortcomings that have become noticeable in the first year of the regulation. The most important of them is the lack of a unified system for determining the amount of fines. By lawyers, the lack of generally accepted rules leads to a large number of appeals. Complaints have to be sorted out by data protection commissions, which is why the authorities are forced to devote less time to the appeals of EU citizens.
To address this issue, regulators from the UK, Norway and the Netherlands are already rules for determining the amount of the penalty. The document will collect factors that affect the amount of the fine: the duration of the incident, the speed of the company's response, the number of victims of the leak.
/ photo
What's next
Experts believe that it is too early for IT companies to relax. It is likely that the fines for non-compliance with the GDPR will increase in the future.
The first reason is frequent data leaks. According to statistics from the Netherlands, where PD storage breaches were reported even before the GDPR, in 2018 the number of breach notifications twice. By data protection expert Guy Bunker, new violations of the GDPR are becoming known almost daily, and therefore, in the near future, regulators will become tougher on delinquent companies.
The second reason is the end of the βsoftβ approach. In 2018, fines were a last resort β mostly regulators sought to help companies protect customer data. However, several cases are already being considered in Europe that could lead to large fines under the GDPR.
In September 2018, a massive data breach at British Airways. Due to a vulnerability in the airline's payment system, hackers gained access to customer credit card information for fifteen days. An estimated 400 individuals were affected by the hack. Information security specialists that the airline can pay the first maximum fine in the UK - it will amount to β¬ 20 million or 4% of the corporation's annual turnover (depending on which amount is higher).
Another contender for a major financial punishment is Facebook. The Irish Data Protection Commission opened ten cases against the IT giant due to various violations of the GDPR. The largest of these occurred last September β a vulnerability in the infrastructure of the social network hackers to get tokens for automatic login. The hack affected 50 million Facebook users, 5 million of whom were residents of the EU. According to ZDNet, this data breach alone could cost the company billions of dollars.
As a result, you should be prepared for the fact that in 2019 the GDPR will show its strength, and the regulators will no longer turn a blind eye to violations. Most likely, there will only be more high-profile cases of violations of the regulations in the future.
Posts from the First Enterprise IaaS Blog:
What do we write about in our Telegram channel:
Source: habr.com