Member News

GDPR: (Almost) one year later

The EU General Data Protection Regulation (GDPR) took effect 11 months ago. After almost a year of GDPR that became applicable on May 25, 2018, it should be investigated how the main subjects of this Regulation – the companies processing personal data and the member states’ supervisory authorities (“Supervisory Authorities”)– are dealing with it.

For instance, the recent Open Right Group’s survey (see below) [1] shows the number of complaints made by the data subjects (Chart 1) and the number of data breach notification made by the companies (Chart 2) and received by eleven European Supervisory Authorities from May 25, 2018 until March 1, 2019.[2]

Chart 1 – Complaints


Chart 2 – Breach Notifications


In short, these numbers show that several complaints and data breach notifications have been filed with all the Supervisory Authorities. Such numbers play an even more significant role if compared to the GDPR’s status showing that only few data breaches were reported.

Crunching the numbers

The data shows that the Supervisory Authority of the United Kingdom (“UK”) received more complaints than other countries. However, the comparison of this data with the presence of individuals in the country (per capita) shows the UK had roughly 51 complaints per 100,000 people. Comparing such data with other per capita data shows a different picture of the UK Supervisory Authority’s activity.

Ireland had relatively few complaints, but had roughly 57 complaints per 100,000 people. This data is higher than the UK. The reporting period for Ireland was around two months shorter than the other countries in the report. However, there is some undercounting here. Hungary had an average of approximately 10 complaints per day in this reporting period and around 29 complaints per 100,000 people. This data is higher than Poland, for example, which had more complaints overall but had around 15 complaints per 100,000 people on a per capita basis.

As with complaints, the UK Supervisory Authority received mostly breach notifications – an average of around 42 per day over the course of the reported period. Ireland had fewer notifications, but had around 70 notifications per 100,000 people over their reporting period. This is probably due to the large number of businesses headquartered in Ireland, particularly in the tech industry. Sweden also received a relatively large number of breach notifications – 33 per 100,000 people.

Such numbers were supported by a recent panel hosted by the International Association of Privacy Professional which concluded that the GDPR has been a successful breach notification law, but has been failing in imposing fines on companies, namely “data controllers”, which were not in compliance with the GDPR.

Indeed, while each European member state had its own breach-notification policy before the GDPR, the entering into force of the GDPR “skyrocketed” such notifications. However, with regard to fines, the European Data Protection Board showed that (as of February 26, 2019) Supervisory Authorities from 11 EEA countries imposed fines equal to the overall amount of Euro 55,955,871.[3]

This data appear significant but, a deeper analysis shows that such data is actually inflated by the massive sanction imposed against Google in January 2019 equal to Euro 50 million. Since 2018 Google’s revenues are approximately USD 136,8 billion, such fine accounted for 0,004% only of Google’s total revenues. A speck of the maximum 4% of the total worldwide annual turnover that could have been imposed.[4]

It should be noted that the remaining fines compared to the number of complaints and data breach notifications show that the vast majority of data controllers are still not being fined, or fined insignificantly.

The Road Ahead

The question now is: how long will this apparent impunity last?

The GDPR compliance proved to be exactly as it was expected: “costly and time-consuming” and the European legislator probably knew it long before May 25, 2018, as every member state’s Supervisory Authorities.

Approaching the GDPR’s first anniversary, it should be noted that it entered into force on May 2016, thus almost three year ago and “the music is now getting softer and the party soon will be over”.

Across Europe, Supervisory Authorities’ conferences clearly they are approaching the second stage: target controls triggered by data subjects’ complaints, as well as random controls will be followed by heavier sanctions (that in these lack of financial resources hard-times where public authorities more than often fell short of budget, will definitely be welcomed).


When the processing activities relate to the offering of goods or services to data subjects located in the European Union, or to the monitoring of their behavior as long as it takes place within the Union, GDPR applies, regardless the location where the data processing takes place.

All companies subject to the GDPR but not in compliance with such regulation, especially those involved in pending M&A transactions, should immediately consider their compliance status implementing a compliance’s roadmap on a time-cost basis.

[2] Austria, Cyprus, Germany, Greece, Hungary, Ireland, Italy, Poland, Romania, Sweden and the United Kingdom.
[4] Article 83 GDPR

Compliments of AEM Carnelutti, a member of the EACCNY