According to a recent study on EU privacy; Penalties for violating the law increased almost sevenfold in 2021. EU data protection authorities since January last year; the fine for violating the general regulation of data protection of the block set at $1.25 billion. Reports of data breaches from firms increased by 8%; On average, up to 356 per day. GDPR is effective from 2018. Amendments to the EU Data Rules will give consumers in Europe more control over their information.
Companies must provide a clear legal basis for collecting and processing users’ data. Firms must notify the government within 72 hours of any data breach. A decline to do so could issue potentially solid penalties. In particular, up to 4% of the company’s annual global revenue; Or $22.8 million; Which will be a higher figure.
EU privacy and penalties
In 2021, EU regulators prescribed record punishment under the GDPR. Most of the penalties were on Big Tech. A Luxembourg privacy observer fined Amazon $850 million. Also, the Irish government fined WhatsApp €225 million. Both firms are in the process of appealing the fines.
In fact, regulators often need time to impose hefty fines; Because the investigation requires some time. The law is still full of lots of open legal questions. Among the available questions is the issue of cross-border data transfer between the US and the EU.
In 2020, the European Court of Justice issued a seismic ruling; Which abolished the use of the Privacy Framework; It is the legal framework for transferring data across the Atlantic. The decision was called “Schrems II”; On behalf of Austrian privacy activist Max Schrems; Who initially started the case.
Although the privacy shield has been lifted; The ECJ has at least maintained the validity of the standard treaty clauses, which is another mechanism between the EU and the US. Data flows are legally justified. However, firms are still trying to figure out the consequences of the decision. The main argument of the conclusion is that the US data protection regime is not equivalent to the EU regime.
McKean says the challenge for organizations is the legal uncertainty around the EU-US regarding data transfer. Standard contractual provisions are the most popular method for legally processing such transfers. US and EU officials outline plans for a new data agreement; Which will replace the Privacy Shield.
Meta is affected in a heated conflict with the Irish Commission. The DPC has called on Meta to stop using SCCs to send customer information from Europe to the US. It explores the data transfer practices of the company. Meta provided temporary execution of the order; however, the Irish Supreme Court allowed the observer to continue the investigation.
According to the Austrian Data Protection Supervisor; Using Google Analytics violates the GDPR. This potentially reveals user data to US intelligence agencies. The decision is aimed at the website publisher that uses Google’s web analytics service.
In addition, like Meta and other major American technology companies, Google SCC relies on data transfer for EU-US processing. However, according to Google, firms that use Google Analytics; Control what the tools collect data and how it is used. Accordingly, the company ensures full compliance with protection, control, and resources. Also, almost every organization has an international supply chain and international data transmissions.
In addition to increased legal uncertainty, McKean suggests that the number of GDPR fine appeals will increase further in 2022.