GDPR Regulatory Inquiries – Key Enforcement Trends
Targeted behavioural advertising, processing children's data, use of AI technologies and effective data governance are key legal issues attracting supervisory authorities attention across the EEA, the UK, Norway, Iceland and Liechtenstein. Deirdre Crowley assesses key enforcement trends and offers predictions for 2023.
Ireland fined the most of any European Economic Area ("EEA") country in 2022. Luxembourg is in second place, having issued the highest individual fine of €746m to Amazon1. This upward trend in fines issued can be seen across the EEA, with an estimated 170% increase in fines reported in 2022, compared to 2021.
The European Data Protection Authority ("EDPB") has emerged as a key driver in the upward climb in fines. Recent decisions show a clear pattern of fines being increased when reviewed by the EDPB in the context of the General Data Protection Regulation ("GDPR") consistency mechanism - the EDPB has yet to reduce a fine referred to it. In a 2022 case involving the French supervisory authority, the CNIL, the binding decision of the EDPB (Decision 01/2022) directed that one fine be increased six fold in order to meet the Article 83(1) GDPR requirement that the fine is sufficiently dissuasive.
A notable change in the EDPB's approach is its willingness to direct Regulators not only to increase their fines but also to reopen parts of their investigations. This marks a new departure in the area of enforcement and has been met with strong resistance from the DPC who is seeking to annul the EDPB's direction to require the DPC to conduct a fresh investigation that would span key aspects of Meta and Instagram's data processing activities.
A marked increase in fines can be seen in the Artificial Intelligence ("AI") space with high fines from Italy, France, Greece and the UK applied against Clearview Inc for transparency and lawfulness violations. The draft AI Liability Directive2 published on 28 September 2022 crystallises penalties that will apply when the draft Artificial Intelligence Act3 is implemented. The new suite of legislation relating to AI is complementary and additional to the GDPR. The effect of the legislation will be a game changer for any business relying on AI powered technologies to make decisions in relation to personal data.
The law on enforcement in the data space is far from settled – what is clear is that enforcement will remain a key priority issue in 2023 and for the foreseeable future.
Fines are continuing to increase and data regulators, including the DPC, are using the full suite of corrective powers available to them to send the message that data compliance is big business and is here to stay.
Here we take a look at big ticket enforcement decisions from Ireland and Europe in Q4 2022.
References [1] At the time of writing, this fine is not publicly available and is subject to an ongoing appeal. [2] 2022/0303 (COD) - Proposal for a Directive of the European Parliament and of the Council on adapting non-contractual civil liability rules to artificial intelligence. [3] 2021/0106 (COD) - Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and amending certain Union Legislative Acts.
