The EU's General Data Protection Regulation (GDPR) launched with great fanfare last spring, but Yle News found that neither Finland’s data protection ombudsman nor European data protection authorities have levied a single fine on companies failing to comply with the new rules.
In the aftermath of scandals over Facebook and Cambridge Analytica data misuse, GDPR aimed to empower private individuals to know more about the personal information service providers have on them. The new data protection regime gives users the right to ask service providers to stop processing their personal data or selling it to third parties.
"We make all these fantastic rules to protect people but there’s no enforcement," Andrew Hale, a Helsinki resident familiar with the data privacy rules, told Yle News.
He said large Finnish companies are failing to comply with GDPR, for example, by including marketing authorisation in user terms of agreement.
National data protection authorities, such as the Data Protection Ombudsman in Finland, are the first point of contact for citizens wanting to call out companies breaking data protection rules. But Hale fired criticism at Finland’s Data Protection Ombudsman, whose job it is to enforce GDPR in Finland, for being unresponsive to inquiries from the public.
"Ten breaches every day"
Reijo Aarnio, who has served as Finland’s Data Protection Ombudsman for the last two decades, acknowledged this criticism, saying his office receives an average of ten data breach notifications each day.
Story continues after photo.
"Larger companies have more resources than smaller ones to implement GDPR," he explained, "We have very simple cases and very complex ones encompassing millions of subjects whose data has been breached."
Aarnio said that GDPR is still suffering from a lack of harmonisation on the EU level as there are varying degrees of interpretation of the rules.
"The EU wants to prevent GDPR shopping," said Aarnio of companies taking advantage of member states where breaking rules may carry a smaller price tag.
"It’s a huge task to harmonise the level of fines across the EU’s 28-state bloc."
EU tech czar: "It’s about time citizens get digital rights"
EU competition commissioner Margrethe Vestager meanwhile told Yle News that she's not surprised that national data protection authorities feel overrun.
Story continues after photo.
Vestager, known as the EU’s tech czar for heading investigations into tech behemoths like Microsoft and Apple, said the Commission has yet to punish any companies failing to comply with GDPR.
"Stock-taking will happen in the new year. This is a good opportunity for national authorities to report back and say, 'Oh wow, we got swamped' because it’s difficult for businesses to live up to these rights," she told Yle News.
Vestager called on national ombudsmen to report rogue companies to the Commission as the same multinationals may be skirting privacy rules across the EU.
"We have to see if there’s a European-wide issue with certain companies," she added.
At some point, according to Vestager, delinquent companies will face a fine.
"We are only at the beginning, but the public's reaction shows that it was about time that citizens got digital rights. The EU's job is to enforce competition law, especially when companies don't live up to their promises."
New year brings GDPR sanctions
In Finland, companies systematically failing to comply with GDPR may soon have to pay for their offences.
Next year, a new three-person team in Aarnio's office will start investigating GDPR breaches in Finland thanks to Finnish data protection legislation coming into effect on 1 January.
Despite GDPR’s shortcomings, Aarnio and Vestager remain upbeat.
"I want to underscore that citizens have more rights than they used to," Aarnio explained. Vestager echoed this sentiment.
"The important thing for people to realise is, 'I have digital citizen's rights. I own my data, I can move it, I can be forgotten," explained the EU's chief tech regulator.