After more than two years, GDPR enforcement trends are beginning to emerge. We are seeing the types of enforcement actions that data protection authorities (DPAs) across the European Union (EU) are willing to undertake, as well as the profiles of the targets. In 2020 alone, DPAs issued 318 fines. That is 318 out of 471 GDPR files overall so far. In this alert, we summarize the lessons learned from GDPR enforcement in 2020, which has had the bulk of enforcement action. And we discuss what these actions could mean for companies in 2021.

|

Who Should be Worried? Everyone

After a relatively low number of enforcement actions in 2019, we saw a drastic increase of enforcement actions by DPAs across the EU in 2020. These actions were, at times, substantial in amount and targeted both small and large organizations, especially those in the technology industry.

In fact, the Irish Data Protection Commission (IDPC)—one of the most active DPAs in the EU—has launched several investigations into various "Big Tech" firms. An investigation into Twitter's compliance with Articles 33(1) and 33(5) of the GDPR, concerning the company's notification obligation and accountability obligation relating to a January 2019 data breach resulted in a €450,000 fine. The IDPC also launched inquiries into Facebook's processing of children's data on Instagram and issued a formal notice regarding Facebook's Election Day Reminder feature. Though very few decisions have yet been issued, the IDPC is continuing to proceed with a large number of investigations against Big Tech companies, and while the pace of these investigations may not satisfy all GDPR critics, the sheer quantity shows how seriously the IDPC is taking GDPR enforcement, at least as it pertains to U.S. companies.