Before the application of the GDPR, one in three articles was about envisioned data protection fines. Companies controlling personal data strived to establish management processes that are in line with strict rules. At client consultations, we always discussed the goal of avoiding fines. However, in my opinion, businesses that control many personal data should not execute the compliance project with this focus.
What about the “big players” whose examples show the acting and fining ability of the authorities? Recent years have shown that data protection authorities, with different intensity, may not be able to follow the data collection and use practices of techies and other enormous data controllers (e.g. Facebook, Linkedin, Google, Booking.com, etc.). Moreover, they do not always have jurisdiction over businesses established in another state (in case of tech companies often in Ireland). The annual report prepared for 2020 by the Hungarian National Data Protection and Freedom of Information Authority (NAIH) shows that the total amount of all fines was around 256 million forints. We then have observed how the Irish data protection authority is forcing data controllers to comply with the law, but we do not see deterrent examples in their report either. (The Irish Data Protection Authority acknowledged that 99.93 % of the complaints received had not been decided.)
Given the above figures, the question arises as to whether smaller businesses need to worry at all. If we look strictly at the practices of data protection authorities, in my view, the threat of fines has become overwhelmed (and was not an appropriate approach either beforehand).
At the same time, it is natural that companies are concerned about possible procedures that not only have financial consequences but also carry reputational risk. In addition to the data protection authority, competition authorities are also becoming more prominent in data protection issues. We see that in addition to the NAIH, the Hungarian Competition Authority (GVH) has also “entered” among the possible finers. In Hungary, for example, the GVH imposed an exceptionally high fine of 1.2 billion forints on Facebook, which case is still in court. The company – although it advertised its service for free, and customers didn’t have to pay to use it – made a business profit from user activities. The case points out that worrying data protection practices may also be noticed by the competition authority if consumers are affected.
“The data is the new oil.” The commonplace couldn’t be truer than this if we look at the techies’ data management from any light. As these businesses generate huge income by controlling our personal data, they are also increasingly targeted by audit bodies. This may even have a welcomed result (although seems utopian currently) in the distant future, namely that the data will be controlled more ethically and responsibly by the companies involved.