The head of data protection in Brussels has predicted that the first enforcement action against companies in breach of GDPR will be issued before the new year, amid reports that regulators across the EU are being inundated with complaints.
European Data Protection Supervisor Giovanni Buttarelli told Reuters that the various enforcement agencies across each member state have been overwhelmed by a spate of complaints.
“I expect first GDPR fines for some cases by the end of the year,” said Buttarelli. “Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum.”
“The fine is relevant for the company and important for the public opinion, for consumer trust,” he added. “But from an administrative viewpoint, this is just one element of the global enforcement.”
The UK Information Commissioner’s Office has already reported that data protection complaints soared by 160% in the first three months since the regulation came into force in May and that it was receiving over 500 calls per week; France, Ireland, Luxemburg and Austria have also reported an increase in complaints.
The ICO is believed to have a number of ongoing investigations, including Ticketmaster, which suffered a breach on its systems in late June.
Although enforcement of data protection policies is handled by independent national regulators within each member state, part of Buttarelli’s brief is to coordinate their actions.
He believes that those likely to be sanctioned will include companies headquartered across many EU countries, and a number of public bodies, although he refused to elaborate.
However, given the complex nature of GDPR and the workload involved in such investigations, others believe it could take far longer.
In a recent interview, Marit Hansen, the head of one German data protection authority, said: “For clear and simple cases, it will take some months before a fine will be issued. For the majority it will take longer. This is comparable with state prosecutions which can take more than a year.”
Hansen added that six months for the issuing of the first GDPR fines “would be quick”. In larger cases, she warned, regulators will have to deal with the complexities of cross-border cooperation, the relative inexperience of staff in handling court cases (compared with companies’ lawyers), and the fact that judges will have limited case law to go on as they make their decisions.
Data breach complaints soar by 160% in three months
The dam bursts: companies hit by flood of data requests
ICO takes no prisoners as complaints and fines rocket
Only a fifth of UK companies are compliant with GDPR
Let battle commence: first GDPR complaints are filed