Nieman Foundation at Harvard
Indian journalists are on the frontline in the fight against election deepfakes
ABOUT                    SUBSCRIBE
May 28, 2019, 10 a.m.

One year in, GDPR fines haven’t hit publishers — or very many other companies, actually

More than a dozen EU countries haven’t issued a single GDPR fine yet, and the those that have have generally been small. (Unless your name is Google.)

Over the weekend, the GDPR celebrated its first birthday, presumably by blowing out a single candle on a cake made entirely of ABOUT COOKIES ON THIS SITE webpage overlays. The General Data Protection Regulation came into force on May 25, 2018, and promised to be a milestone in Internet user privacy and data awareness. For end users, though, it’s mostly seemed to mean a lot more “I agree” buttons to click and “Yes, you can really send me emails, that’s literally why I’m signing up for this email newsletter in the first place” checkboxes.

The employment law firm Ius Laboris has assembled data from across the European Union on how, exactly, the GDPR has been enforced in that year. Companies, including publishers, spent a lot of money getting GDPR compliant in order to avoid the huge fines the new regulations allowed — up to 20 million euros of 4 percent of a corporation’s entire global revenue.

So how has it been enforced so far? Not all that much.

Ius Laboris has country reports from 25 of the 28 EU states (sorry, Estonia, Malta, and Romania) and the summaries are worth reading if you’re into this sort of thing — but here are a few of the highlights.

  • Quite a few countries have issued exactly zero GDPR fines, including Belgium, Croatia, the Czech Republic, Denmark, Finland, Ireland, Italy, Luxembourg, Slovakia, Slovenia, Spain, Sweden, and the U.K.

    In some cases, that’s an issue of delay: Each country has to embed the GDPR into its own national laws, and some have been slower than others in doing so — as well as the obligatory follow-up actions of appointing the people who’ll make the decisions and so on. But others appear to have just taken a lighter approach to enforcement, preferring sending legal nastygrams to companies that appear to be on the wrong side of the law.

    (And in a few cases it’s theoretically possible that Ius Laboris missed a fine, such as in Germany, where they’re handled by individual state authorities rather than a federal entity.)

  • The countries that have imposed GDPR fines have generally done so at a very limited scale. Austria has issued only three fines, all around illegal video surveillance. Cyprus and Portugal have each issued four, Poland two, and the Netherlands one. Latvia’s largest fine was 2,000 euros, Bulgaria’s 5,000 euros.
  • Some examples of fines issued: Greece fined phone companies 150,000 euros for “making unsolicited calls” and oil companies 30,000 euros for “unlawful processing and failure to comply with the required organizational and technical measures.”

    Lithuania fined “the electronic money institution MisterTango” 61,500 euros for, among other things, failure to disclose a data security incident.

    The Netherlands had only one fine, but it was a biggie: 600,000 euros for Uber, also for not reporting a security breach. (Uber has also faced a 400,000 fine from France and a negative ruling from authorities in Greece.)

    One of Poland’s two fines went to “a sports association for failing to delete judges’ data effectively.” One of Portugal’s four was 400,000 euros for a hospital that gave staff “indiscriminate access…to patients’ data.”

    While Denmark hasn’t issued any fines yet, its first is currently in the pipeline, for a taxi company found to be storing 9 million riders’ phone numbers.

    Hungary has issued a number of fines of about HUF 1 million (around 3,000 euros), including to a credit management company that didn’t delete a user’s phone number after being asked and to a company that deleted camera recordings a person had wanted to use as evidence in a legal proceeding.

  • A few countries have issued GDPR-like fines but not technically under the GDPR; instead, they’re being justified under similar but previously on-the-books laws as GDPR implementation continues apace. Spain, for instance, fined Facebook 600,000 euros for sharing data from WhatsApp to the mothership “without valid consent” and “using it for a purpose for which consent was not given.” (That case began before GDPR was officially on the books.) The U.K. also fined Facebook, this time 500,000 pounds, under its Data Protection Act 1998.
  • But as is often the case in the EU, it appears to be France and Germany that have done the heaviest lifting.

    Germany has issued 75 fines under the GDPR, though they total only 449,000 euros between them. (The largest was 80,000 euros.) Also fun: The German law implementing GDPR is known as the Bundesdatenschutzgesetz.

    Meanwhile, Paris has levied by far the largest fine under the GDPR: 50 million euros on Google for a panoply of different data privacy issues around targeted advertising. That fine alone makes up nearly 90 percent of all fines issued in GDPR’s first year, which add up to about 56 million euros.

    France has also had a number of other large fines: 250,000 euros for Bouygues Telecom, 400,000 euros for Uber, 50,000 euros for Dailymotion, and 250,000 euros for something called Optical Center, “all relating to a lack of technical measures securing client data.”

As far as I am aware — and based to Ius Laboris’ findings — no publishers have faced a GDPR fine. (Speak up if you know differently.)

Of course, a regulation shouldn’t be judged purely on how many fines it hands out. A number of investigations — particularly in Ireland, where many American tech companies officially homestead their user data — will likely bear fruit in a future season. All the work that went into GDPR compliance no doubt prevented any number of violations from happening and forced companies to reevaluate core questions about how they store and process user data.

But for those for whom it was the threat of bajillion-dollar fines that got them interested in the GDPR — that doesn’t appear to have come to pass. Yet. (Unless you work at 1600 Amphitheatre Parkway in Mountain View.)

Joshua Benton is the senior writer and former director of Nieman Lab. You can reach him via email ( or Twitter DM (@jbenton).
POSTED     May 28, 2019, 10 a.m.
Show tags
Join the 60,000 who get the freshest future-of-journalism news in our daily email.
Indian journalists are on the frontline in the fight against election deepfakes
The ongoing general election is a pressure test for how to report on political voice clones and video spoofs
Welcome to the neighborhood! How Documented brings NYC immigration news to Nextdoor’s Caribbean communities
“We are bringing onto this platform — where people usually talk about their lost cat or that they’re looking for an apartment — serious news content sparking a new kind of conversation.”
ProPublica’s new “50 states” commitment builds on a decade-plus of local news partnerships
With annual revenue of $45 million and a staff approaching 200 people, ProPublica has been one of the big journalism winners of the past decade. And it’s been unusually willing to spread that wealth around the country.