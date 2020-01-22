The European privacy law, the General Data Protection Rules (GDPR), which struck fear into the hearts of finance heads across the world, clocked reasonable fines so far in its nearly 20 months of implementation, according to a recent survey. Yet, corporations need to gear up for far more difficult times ahead.

"The total (reported) fines for the full 20 month period across all countries surveyed was just over €114 million (about US$126 million / £97 million) which is quite low given that supervisory authorities enjoy the power to fine up to 4 percent of total worldwide annual turnover of the preceding financial year," says a report by global law firm, DLA Piper.

The three jurisdictions that topped the table were France, Germany and Austria with the total value of GDPR fines imposed to date at €51 million, €24.5 million and €18 million respectively. The survey does not include the UK's biggest statements of intent as they have not been finalised.

In one of the largest fines so far, the French regulator, CNIL fined Google €50 million (around $56.8 million USD) for GDPR violations last year. The regulator said that Google failed to provide enough information to users about its data consent policies and didn’t give them enough control over how their information is used. But this case was an outlier in the overall trend so far.

DLA Piper’s report, however, cautions that the low early fines are not in any way a indicator of the future as enforcement agencies staff up. "It takes time to build a robust case to justify higher fines. We expect to see more multi million Euro fines in the coming year," it adds.

Another trend visible in the first full year of the new law's existence is the uncertainty around the calculation of the fines and their proportionality to the harm caused. While the German authorities came forward with a methodology, both these and the UK's logic in its intention to fine caused some consternation because they could lead to even higher penalties.

It is expected that a standard methodology will emerge as the jurisprudence settles. In the short run, companies will be contesting these fines via legal appeals.

The law firm also expects a legal battle to determine what constitutes appropriate security measures under Article 32 under GDPR. It expects security protocols to emerge as hard requirements under this specific clause.