It is said that Europe is blocking innovation with its regulations and especially with the most visible tip of this iceberg: GDPR. In effect since 2018, it regulates at European level the way we deal with Personally identifiable information (PII). The goal is to protect the privacy of all European citizens against all potential nuisances whether we’re talking of abusive marketing strategies or utterly insecure data storage that eventually ends up sold on the darknet.

The goal of this article is not to review if this measure is efficient but rather what is the impact for business. The French agency, the CNIL, keeps a list of all given sanctions through time. We will use an AI-pumped parser and a bit of data science to analyze the past of GDPR sanctions. It is all open-source so that you can check the methodology and report issues if any.

Fair warning however, as always with statistics they are merely matching a story their writer wants to tell. Your company can be prosecuted on any given point of the law and the distributed fines are as much a reflection if the current state of the industry than of the CNIL’s priorities. If nobody had Consent Management Platforms (CMPs) in place, the rate of fines on this topic could be higher, for example.

Given our goal of figuring what are actually the things that will get you fined, a decent first question to look at is the rate of companies getting fined. If only a few every year there would be nothing to worry about, but if the practice is widespread then it becomes a bit more scary.

Two things come up as striking from this graph:

• There is a huge spike in 2021 in terms of the sum of sanctions. This year CNIL woke up and chose violence against the GAFAM. Google and Facebook received fines of respectively 150 and 60 million euros for their cookie policies. The rest of fines is actually pretty moderate.

• The total amount of fines given is increasing seemingly exponentially through time, while the total collected value is decreasing. This is raising the next question: what exactly is the distribution of those sanctions?

Now is probably a good time to point out that in the world of GDPR, fines are mostly proportional to the revenue of the company. They are sized to be painful for your business whilst also not endangering it. Seeing the fined amount is a good way to realize which sizes of companies are being sued. This is also why this article mostly avoids counting the absolute value of fines, as it would not be comparable between cases.

Note — All fines in 2018 are in the 0-1k slice because on the CNIL’s page amounts are not written for 2018. But it’s not too problematic in the sense that most of what we are looking at is the count of sanctions rather than their amount. This will definitely create some noise further down, however.

The 1M+ slices represent mostly big companies (Google, Amazon, Yahoo, Criteo, … you see the kind). Those are notoriously invading privacy of individuals at a massive scale, which explains some constant action in that range. But in comparison to the bulk of the activity this looks pretty exceptionnal. Let’s focus more on the bulk of the sanctions.

In that regard, the 100k-1M column — which represents national companies (TV channels, telcos, etc) — is definitely having some constant action. It got dilluted in 2023 but the absolute value stays equivalent. This will be the most interesting slice to unfold.

And finally you can see a sharp 2023 increase in the 1k-10k slice — small companies such as web agencies — meaning that this raise in sanctions counts that we have seen in the first graph can be attributed to an increased focus on smaller actors.

This looks to be the first major shift in strategy since the beginning: since 2023, small actors are being targetted at a significantly increased rate while large corporations where the previous focus.

But what are those sections about? Is it all about cookies, or is there more to this law than CMPs?

What appears here is a rather balanced picture of different categories all being pursued more or less equally. The most obvious thing is that 2018 is nothing like other years, so I guess they had to start by finding their mark.

Something that seems to emerge as well is a stronger focus on the core company organization. Instead of just wondering if you violate people’s privacy, it is also important to look at how well structured your company is to ensure that the law is applied, whether you design your application to be private or you work properly with your third parties.

Now which of those measures should you be worried about?

Obviously anyone can get hit anywhere and it is going to be hard to make a generic rule. But let’s look at some trends.

First let’s see about cookies and trackers. With so much noise surrounding them, are they so important? Turns out that, not so much. They definitely have been the platform used to battle the GAFAMs, but the smaller the company size and the least important it becomes.

Related to cookies, a line is emerging on consent. But it’s not only cookie consent. Rather, it’s the generic collection of consent for everything that should require it — from ads cookies to receiving commercial emails and everything in between. It is important to disconnect the concept of consent from the concept of cookies. The law never actually mentions cookies, it’s all about what you do with the data and how you justify it.

Talking of justification, this is clearly what emerges on the small red island in the 1k-100k range (web agencies and such). Things that hurt the most are not so much direct violations of the law but rather the lack of measures to apply and justify it. The message is clear, any company of any size should:

• Maintain a register of all PII data processing

• Justify appropriately every single processing that is done1

• Having a DPO in charge of guaranteeing that this work is done and able to talk with authorities

While this is not what bigger companies seem to be lacking of, you can see that they are rather plagued by what is most likely legacy.

A first focus is to be made on security-minded topics. You can see recurring mentions of:

• Data minimization and expiration — limiting the attack surface to exactly what you need and no more

• Data breach handling — you need to have proper security in place to avoid data breach, but you should also be transparent with your customers when their data gets leaked into the wild

• Special categories of data — medical data for example requires a specific care, which is not always given

And then comes in the straight-out malicious data processing:

• Improper commercial prospection

• Lack of information and transparency

• Refusal of user’s rights (portability, opt-out, etc)

Let us also take note of something notably missing from the list of sanctions: not a single mention of using a hosting/cloud provider that is not EU-owned. Nobody got sued for using AWS, DigitalOcean or any other american hosting company. When you see that some of the sanctions are extremely specific, if this was on the map at all there would at least be a trace of it.

It is also worth mentioning that it doesn’t look like data processors got into any trouble. There are some examples of controller/processor relationships being sanctionned but it seems like most of the responsibility falls on the shoulders of the controller.

Overall, lots of categories are used few times and it is clear that the CNIL will target anything they can. But emerging patterns also come to show that a lot of focus is given not only on what you do but also how you do it. The main requirement of GDPR in the end is that you care about PII.

Conclusion

Is GDPR hurting innovation? Should you be afraid of getting fined?

After initial years that were mostly focused on crucifying GAFAMs, it seems that the CNIL is getting a knack for smaller players as well. We don’t know yet how many sanctions will fall in 2024, but the rise in 2023 has been steep.

It is also becoming obvious that the infractions that companies will be sued for highly depend on the company size due to both the practices required to operate at this company scale and the tendency to invest or not in PII management. As such, here are the recommendations of what to change depending on your company size.

Global companies — GAFAMs and other big players in web marketing

• Notch it down on World Domination

National companies — TV channels, telcos and other companies operating at a national level

• Assign a budget on sanitizing your data management. Eventually you will have to spend this money either as a GDPR fine, or as a hack ransom then as a GDPR fine. If you do it as an afterthought, the outcome will be a superficial façade falling at the first push.

• The same goes for letting users exert their rights. It needs to be built-in into your tools and processes, otherwise it will not happen when you need it.

• There are a bunch of forbidden commercial practices that you cannot be having anymore, indeed.

SMEs — Smaller local businesses, startups in initial stages, web agencies but also the local doctor for example

• Make sure to empower one person to be responsible for data management

• Keep a register up-to-date with all PII processing and appropriate justifications

So what of our question? Is GDPR hurting businesses? There is no denying that this regulation forces companies of all sizes to assign budgets on items that do not have a direct ROI, under the threat of a fine.

On the other hand, this serves to protect companies from themselves. The principles of data security for example are forcing down a much better hygiene which will over time save big houshold names from massive ransoms and data breaches. The industry still needs to gain a tremendous amount of maturity on the topic — this is but a push in the right direction.

The same goes with commercial opportunities. Have you seen the Mad Men episode about Lucky Strike? This is a similar situation. If you can’t do it, neither can your competitors. This is not the scope of this article, but you can imagine that the damage is not so great provided that everyone respects the law.

Which all leaves us with a mixed feeling. On one hand this is acting for the betterment of European society and has important positive externalities — a safer online experience for all of us. But it is only driven by the stick. Instead of giving huge tax credits for often bogus R&D2, maybe a little help to the most vulnerable businesses could help them keep their books in order.