The Berlin Data Protection Authority (Berlin DPA) recently announced that it will issue a multimillion-euro fine for breach of the EU’s General Data Protection Regulation (GDPR), a significant step change in its GDPR enforcement approach. The Berlin DPA’s most significant penalty to date includes two fines on a company totaling €200,000. In that case, as with the latest announcement, the Berlin DPA has not yet named the affected company The announcement also continues a trend, started by the French Data Protection Authority (CNIL) and followed by the UK Information Commissioner’s Office (ICO), of data protection authorities beginning to show their teeth in GDPR enforcement.
In January 2019, the CNIL issued a €50 million fine against a large technology company, the first significant sanction under the GDPR (though the fine fell well short of the maximum potential penalty available in that case). About six months later, the ICO followed suit with two announcements in quick succession of plans to impose fines of about €110 million in one case and more than €200 million in another case, which Latham & Watkins discussed in a 12 July 2019 blog post.
Prior to the Berlin DPA’s latest move, the approach taken by German data protection authorities to GDPR enforcement had led many to assume that serious fines were unlikely to be imposed in the near future. The first fines imposed in Germany were comparatively low, amounting to only €20,000. The authority in that case, Baden-Wuerttemberg, took a relatively pragmatic approach. In a press release, it praised the company’s professional and cooperative strategy in the fine proceedings. (Latham advised the company in the fine proceedings.) Furthermore, it positively considered the company’s approach to openly disclose errors in data protection and to eliminate them quickly.