- High-profile GDPR settlements point to an enforcement uptick, but the backlog in Ireland lags
- US enforcement patterns emerge from patchwork of Federal and state laws
- State laws present a pathway to class-action lawsuits against Big Tech
Read more below.
GDPR Compliance Enforcement Lags, While State Laws in the US Differ on the Right of Private Citizens to Seek Damages
Our recent blog about the EU’s General Data Protection Regulation (GDPR) and China’s new Person Information Protection Law (PIPL) discussed the possibility that China may come out of the gate eager to enforce – this in marked contrast to the EU, which allowed two years of lead-time before enacting the GDPR in 2018. In this post, we take a deeper look at the state of EU privacy enforcement, as well as emerging trends in the US, where Federal agencies, state Attorneys General (AGs), and private citizens share the enforcement mantle.
A Few High-Profile GDPR Settlements Point to an Enforcement Uptick, but Backlog in Ireland Suggests Otherwise
Recent reporting shows that EU privacy enforcement authorities levied €984.47 million in fines (more than $1.14 billion) in the third quarter of 2021, representing a 2,000% increase over Q1 and Q2 combined.
Those numbers, along with the high profile nature of some recent findings against Facebook’s WhatsApp (€225 million/$266 million) and Google (€50 million/$57.5 million), and Luxembourg’s whopping €746 million ($860,000) fine against Amazon, indicates the EU’s appetite for enforcement is on the rise.
But while open GDPR cases abound, recent criticism from the Irish Council for Civil Liberties (ICLL) shows that most EU nations are struggling to keep up with data compliance investigations due to short staffing and declining budgets. Ireland, whose favorable tax structure attracts the headquarters of US companies, leads the way in GDPR-related backlog: 98% of cases in which Ireland holds the lead status on cross-border data investigations remain unresolved.
The report suggests that Germany, home to EU financial hub Frankfurt, is one of the most effective EU member nations when it comes to funding and issuing decisions on GDPR investigations, while other nations have backed off from their peak funding year of 2018.
According to the ICCL, “Only 5 EU Member States have more than 10 tech specialists, but more than half (15) have only 4 or fewer.”
Given that major data compliance cases can take months or even years to resolve, and given the shortage of funds available to look deeply into data issues, it’s not surprising that the GDPR has seen inconsistent enforcement across the EU.
Look for a future blog post from RadarFirst discussing the types of violations that are receiving the most attention from EU compliance enforcers.
US Enforcement Patterns Emerge from Patchwork of Federal and State Laws
While EU nations rely on Data Protection Commissions to investigate and enforce law, Federal agencies drive only a fraction of enforcement in the US. Most cases related to federal laws stem from the financial, healthcare, and education sectors. The Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the Office for Civil Rights (OCR), and the Family Policy Compliance Office (FPCO) rule on these investigations.
In 2021, the SEC showed its readiness to enforce, fining educational publisher Pearson $1 million and fining 8 investment firms a combined total of $750,000 for deficient cyber security practices.
State AGs can also use federal laws to pursue sanctions. The New York AG’s office has already levied fines of more than $600 million related to data breaches based on existing statutes. It also recently joined the FTC in levying fines for violations of children’s online privacy.
Thus far, only three US states – California, Virginia, and Colorado – have passed their own comprehensive data laws, though several others, including Illinois, Washington, and Texas, have laws on the books protecting certain kinds of data and its uses.
As more and more states consider their own legislation, it’s likely that state AGs will have a greater impact on privacy law enforcement than Federal governmental agencies.
Virginia and Colorado Data Laws Differ from California in Scope and Enforcement Options
California’s new law, the California Privacy Rights Act (CPRA), revamps the state’s existing California Consumer Privacy Action (CCPA, 2018). Under this approved ballot measure, the California Attorney General still has the right to bring cases claiming deficient practices, but a new state-run organization will also be created to investigate and enforce. New laws passed in Colorado and Virginia, however, reserve enforcement power for the state’s Attorney General only.
We won’t know what enforcement looks like under these new laws for some time, however, as all of them go into effect in 2023.
One interesting point of note: Virginia’s funding model relies on fines from investigations to fund future enforcement, so early cases brought by the Virginia AG could target bigger fish in order to create a pool of operational money.
State Laws Emerge as Pathway to Nationwide Class-Action Lawsuits against Big Tech
In some US states, law grants private citizens a right of private action, meaning they can bring lawsuits (usually in the form of class actions) seeking damages related to data breaches and misuse. Illinois’s law regarding the restriction of biometric data usage (BIPA) includes a private right of action and has been used to bring nationwide class actions against both Facebook ($650 million) and TikTok ($92 million).
California also allows for private right of action – in a recent case, Zoom settled for $85M – but Virginia and Colorado will not. Legislators in many states currently considering their own comprehensive data laws differ on allowing private right of action – Florida, for example, failed to pass its proposed data bill during the 2021 session over the matter.
Class-action lawsuits aren’t the only means at a private citizen’s disposal. In a future blog post, we will look at other ways consumers are playing a role in curbing corporate overreach, such as reporting breaches to their state officials, resulting in public Data Security Breach Reports, like this one in Texas, which grew to 28 listings in just over a month since its launch.
Data Laws May Affect Where Companies Set up Shop
Just as certain countries – such as Ireland – and some US states – such as Wyoming or South Dakota – structure their tax laws to attract corporate investment, it will be interesting to see if emerging data privacy and security laws serve as an incentive or a deterrent for companies looking for a place to do business.
Data privacy and security watchers have already noted that California’s laws are more like the EU’s – centered on protecting the individual – than Virginia’s and Colorado’s, which spell out broader legitimate data uses for corporations.
However, the emerging legal trend of using one state’s data law to go after a company nationwide means that organizations need to adopt practices that work in all 50 states.
Companies that can show a history of best practices – such as engaging third parties to evaluate processes, audit data flow, and secure storage – and that can act quickly in response to data breaches – will have a better chance of avoiding becoming a legal guinea pig.
Companies for whom the carrot of strong privacy practices is not yet a cultural benchmark may find themselves coming face-to-face with the proverbial stick of legal action.