Regulators are set to exercise their new powers by handing out fines and even temporary bans on companies that breach a new EU privacy law, with the first round of sanctions expected by the end of the year, the bloc’s privacy chief said.
The European Union General Data Protection Regulation (GDPR), heralded as the biggest shake-up of data privacy laws in more than two decades, came into force on May 25.
The new rules, designed for the digital age, allow consumers to better control their personal data and give regulators the power to impose fines of up to 4% of global revenue or €20 million (£17.5 million), whichever is higher, for violations.
Enforcers have since then been deluged by complaints about violations and queries for clarification, with France and Italy alone reporting a 53% jump in complaints from last year, European Data Protection Supervisor Giovanni Buttarelli said.
“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum,” Buttarelli told Reuters in an interview.
Data controllers, which could include social networks, search engines and online retailers, collect and process personal data while a data processor only processes the data on behalf of the controllers.
Fines are levied by national privacy regulators in the various EU member states. While Buttarelli does not personally impose fines, he coordinates the work of privacy agencies across the bloc.
Fines could be imposed on any company that operates in Europe, no matter where it is headquartered.
“The fine is relevant for the company and important for the public opinion, for consumer trust. But from an administrative viewpoint, this is just one element of the global enforcement,” Buttarelli said.
He said the sanctions will be imposed in many EU countries and will hit many companies and public administrations but declined to provide details because investigations were still ongoing.
Complaints filed against Google, Facebook, Instagram and WhatsApp by Austrian data privacy activist Max Schrems on the same day the GDPR rules were implemented are not expected to be among these cases as they are still at a preliminary stage, he said.