Not all data protection regulators are the same. Each of the European Union’s 27 General Data Protection Regulation (GDPR) regulators have different approaches to enforcement. It is important to understand the key differences in their powers, priorities, procedures and ways of working. Together, they form the European Data Protection Board (EDPB). However, their differing approaches strongly influences the nature, tone and substance of the EDPB’s output. We call this group of GDPR regulators “Europe’s Big Six” because of their enforcement output, capabilities, consistency, size and influence. These regulators help to set the agenda for GDPR, data protection and information security, in Europe and around the world. They have become bellwethers. Analysing these regulators can help companies and organisations navigate the enforcement landscape, understand regulatory risks and decide on how to effectively engage with them. The Big Six Regulators are the European Data Protection Board (EDPB), France’s CNIL, Spain’s AEPD, Germany’s Hamburg and Baden-Württemberg regulators (together), Italy’s Garante and the Netherlands’ AP.
EU: European Data Protection Board (EDPB)
The EDPB is the EU’s data protection super-regulator, bringing together all 27 GDPR regulators, EFTA EEA authorities and the European Data Protection Supervisor (EDPS). Its powers are distinct from each country’s regulator, but it has formidable convening powers. The EDPB helps to resolve EU cross-border cases. The Dispute Resolution mechanism is a very powerful system allowing a decision by one GDPR regulator to be reassessed and fines or penalties increased, because of interventions by other EU GDPR regulators. EDPB’s Opinions are highly regarded and help to shape EU data protection interpretation and good practice. The EDPB also publishes Guidelines, Recommendations and Best Practice. The Board can use its Urgency Procedure to assist a GDPR regulator to adopt an urgent measure needed to protect the rights and freedoms of individuals. The EDPB can, on its own initiative, intervene to monitor the correct application of the GDPR, advise the European Commission, answer questions on GDPR application, give Opinions on Codes of Practice and Certifications, give opinions on data protection adequacy, promote co-operation, exchange information and facilitate shared investigations. The EDPB’s Strategy and Work Programme, Annual Report 2021, Vienna Statement on Enforcement Co-operation 2022 and Selection Criteria for Cases of Strategic Importance 2022, show an intent to increase future cooperation and effectiveness.
France: Commission Nationale de l’informatique et des Libertés (The CNIL)
The CNIL, based in Paris, was established in 1978, before European data protection law was comprehensively set out. It is one of the larger GDPR regulators, with an established heritage in privacy and data protection. It has a long history of enforcement, which has been bolstered by the GDPR. In 2019, the CNIL fined Google €50 million for numerous GDPR breaches on transparency and consent. In 2022, it published a decision about Google Analytics’ non-compliance with GDPR, which sent reverberations across the EU and the world. The CNIL’s Strategic Plan 2022-2024 focuses on promoting the control and respect of individuals’ rights, promoting the GDPR as a trusted asset for organisations and prioritising targeted regulatory actions for high-stakes privacy issues. The high-stakes areas of focus include smart cameras, data transfers in the cloud and smartphone data collection.
Spain: Agencia Española de Protección de Datos (AEPD)
The AEPD, based in Madrid, is Spain’s national data protection regulator, established in 1993. Spain also has three regional data protection regulators in Andalusia, Basque and Catalonia. The AEPD is known for its opinions, guidance and tools on emerging technologies such as Big Data, the Right to be forgotten, wifi data collection (Google Street View), cookies, data breach and Data Protection Impact Assessments (DPIAs). The Agency is one of the most frequent issuers of GDPR fines in the EU. These penalties are often relatively modest (below €200,000), but are spread over a wide range of sectors, industries, public bodies and size of organisations. Its in-country regulatory reach is one of the EU’s broadest and it has adjudicated and enforced in many sectors and technologies. Its largest fines have included Vodaphone Spain (€8.5 million), BBVA (€5 million) and CaixaBank (€9 million and €3 million). Its Annual Report 2021 (in Spanish) shows an active and engaged organisation.
Germany: Hamburg and Baden-Württemberg
Germany has a two-tier data protection regulatory system. The German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für Datenschutz und Informationsfreiheit – ‘BfDI’) represents Germany at the EDPB. Germany has about 19 different federal and regional data protection authorities responsible for monitoring data protection implementation throughout Germany. To ensure consistency, members of all German regulators for the public and the private sectors form the Data Protection Conference (Datenschutzkonferenz – ‘DSK’). This arrangement mirrors the consistency mechanism set out in the GDPR, practiced by EDPB. German data protection enforcement is best understood by reviewing the output of these regional GDPR regulators.
Two of the most active and vocal German regulators are Hamburg (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit – HmbBfDI) and Baden-Württemberg (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg – LfDI). The Hamburg GDPR Regulator fined Hennes & Mauritz Online Shop A.B. & Co KG, a Hamburg-based subsidiary of Swedish fashion and textile company H&M, €35 million, for GDPR breaches. The Regulator imposed a fine of €51,000 on Facebook Germany GmbH for failing to notify their Data Protection Officer in Germany. The regulator questioned and investigated the GDPR compliance of Zoom and Google Analytics. In the early months of GDPR coming fully into force, the Baden-Württemberg GDPR regulator imposed a fine of €20,000 on a social media provider for breaching GDPR’s data security obligations. In 2022, the regulator published a detailed Frequently Asked Questions (FAQs) on cookies and similar technologies.
Italy: Garante per la protezione dei dati personali (The Garante)
The Garante, based in Rome, is Italy’s national data protection regulator, established in 1997. The Garante appears to be very selective about the large scale interventions and enforcement actions it takes. However, many of these actions address the most important GDPR principles, target key sectors and focus on new and emerging technologies. It has been involved in some of the largest and most high profile GDPR enforcement cases and fines such as TIM SpA (€27.8 million), Enel Energia (€26.5 million) and Clearview AI (€20 million). The Garante is permitted to keep 50% of the fines it collects for its own operations. The other half goes to the Italian Government’s central funds. The Garante has agreed with the French, Danish and Austrian GDPR regulators that Google Analytics’ personal data collection and transfers from the EU to the USA, breaches GDPR. The Garante’s Annual Report 2021 (in Italian) shows a bold and confident regulator.
Netherlands: Autoriteit Persoonsgegevens (AP)
Autoriteit Persoonsgegevens (AP), based in Den Haag (The Hague), was originally called the Registratiekamer, and later, the College bescherming persoonsgegevens (CBP). AP, in its current form, was established in 2016. AP has a statutory duty to assess whether organisations, including government bodies, comply with Dutch Data Protection law. The AP’s Strategy Focus Areas for 2020-2023 has deliberately prioritised three digital society themes. These are data trading, digital government in central and local authorities as well as artificial intelligence and algorithms. AP fined the Netherlands Tax Administration (Belastingdienst) €3.7 million for misusing their Fraud Signalling Facility blacklist and breaching the GDPR, causing loss and damage to Dutch families. AP has also taken enforcement action against the Dutch Ministry of Finance (€2.7 million), TikTok (€750,000) and investigated Microsoft’s services. AP’s Annual Report 2021 (in Dutch) shows a confident, minimalist regulator, with a reputation for applying strict interpretations of GDPR.
Other Related Developments and Trends
The UK’s Information Commissioner’s Office (ICO) and Data Protection Commission Ireland (DPC Ireland), together form the largest native speaking English data protection and GDPR regulatory block in Western Europe. The ICO remains large, influential and relatively well staffed and resourced. However, the UK’s departure from the EU (Brexit) means that it is no longer an EU GDPR regulator and a European Big Six contender. It is likely to increasingly diverge from the family of EU GDPR regulators. The ICO’s future is still to be decided, over time. DPC Ireland is growing in capability and influence and is one to watch in the next 2-5 years. The EDPB’s Dispute Resolution mechanism is being used by the Big Six regulators, and others, to internally challenge DPC Ireland’s draft decisions to expand its GDPR analysis and the size of its GDPR fines and penalties.
Other key data protection regulators to watch are Denmark, Poland, Austria and Norway. For the future, significant enforcement action can come from any of the EU’s 27 GDPR regulators, at any time, acting alone, acting together or acting in co-ordination with the EDPB. Therefore, EU data protection regulators and their enforcement activities remain a dynamic and fast-moving environment.
For help with EU/EEA/UK GDPR compliance, data protection regulatory investigations, GDPR enforcement support, data breach response, Data Protection Officer (DPO) services, EU Data Protection Representative services and our Legal & Regulatory Support services, contact PrivacySolved:
Telephone: +353 1 960 9370 (Dublin)
Telephone: +44 (0) 207 175 9771 (London)