An analysis of violations and sanctions following the GDPR

Presthus, Wanda; Sønslien, Kaja Felix

doi:10.12821/ijispm090102

Cited by 15 publications

(6 citation statements)

References 20 publications

(45 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition, the GDPR has an extra-territorial impact in foreign countries, considering that it applies to any company that monitors or offers goods or services to individuals in the EU or monitors their behavior when they are in the EU (see Article 3 of the GDPR). As many scholars argued, the extra-territorial impact of the GDPR (Greze, 2019) has influenced the (online and offline) business practices of companies not only in Europe but also all over the world (Albrecht, 2016), inducing many companies to change their data policies (Krivokapi c et al, 2018) even considering the risks of high sanctions in the GDPR (Presthus and Sønslien, 2021;Tankard, 2016;Voigt and von dem Bussche, 2017).…”

Section: Methodology Scope and Structurementioning

confidence: 99%

“…If we consider some emblematic categories of personal data that are generally used for commercial manipulation, for example, emotions (in general), commercial preferences or data about consumers’ financial condition, then we can easily find that they are not sensitive data under the GDPR. Accordingly, what is certain is that behavioral data collection is not a form of sensitive data processing per se , but very often – especially in the age of predictive analytics and data mining – companies can infer very sensitive aspects of consumers so that those data could be considered to fall under the GDPR definition of sensitive data (Malgieri and Comandé, 2017; Quinn and Malgieri, 2021).…”

Section: The Role Of the Law: European Union Privacy And Data Protect...mentioning

confidence: 99%

See 1 more Smart Citation

In/acceptable marketing and consumers' privacy expectations: four tests from EU data protection law

Malgieri

2021

JCM

View full text Add to dashboard Cite

Purpose This study aims to discover the legal borderline between licit online marketing and illicit privacy-intrusive and manipulative marketing, considering in particular consumers’ expectations of privacy. Design/methodology/approach A doctrinal legal research methodology is applied throughout with reference to the relevant legislative frameworks. In particular, this study analyzes the European Union (EU) data protection law [General Data Protection Regulation (GDPR)] framework (as it is one of the most advanced privacy laws in the world, with strong extra-territorial impact in other countries and consequent risks of high fines), as compared to privacy scholarship on the field and extract a compliance framework for marketers. Findings The GDPR is a solid compliance framework that can help to distinguish licit marketing from illicit one. It brings clarity through four legal tests: fairness test, lawfulness test, significant effect test and the high-risk test. The performance of these tests can be beneficial to consumers and marketers in particular considering that meeting consumers’ expectation of privacy can enhance their trust. A solution for marketers to respect and leverage consumers’ privacy expectations is twofold: enhancing critical transparency and avoiding the exploitation of individual vulnerabilities. Research limitations/implications This study is limited to the European legal framework scenario and to theoretical analysis. Further research is necessary to investigate other legal frameworks and to prove this model in practice, measuring not only the consumers’ expectation of privacy in different contexts but also the practical managerial implications of the four GDPR tests for marketers. Originality/value This study originally contextualizes the most recent privacy scholarship on online manipulation within the EU legal framework, proposing an easy and accessible four-step test and twofold solution for marketers. Such a test might be beneficial both for marketers and for consumers’ expectations of privacy.

show abstract

Section: Methodology Scope and Structurementioning

confidence: 99%

Section: The Role Of the Law: European Union Privacy And Data Protect...mentioning

confidence: 99%

In/acceptable marketing and consumers' privacy expectations: four tests from EU data protection law

Malgieri

2021

JCM

View full text Add to dashboard Cite

show abstract

“…Another aspect related to our paper is the work of the data protection supervisory authorities (henceforth, DPAs). Barrett and other researchers [3,20,33], analyzed the fines issued by the authorities in an early stage of the GDPR adoption. In addition, two articles by Ruohonen and Hjerppe [21,22] predicted the evolution of fines, for instance, in magnitude and frequency.…”

Section: Gdpr Implementation Supportmentioning

confidence: 99%

“…Previous work has already looked at the imposed fines and provided an overview and statistical analysis [3,[20][21][22]33]. However, these works do not investigate the data processing details that lead to fines.…”

Section: Introductionmentioning

confidence: 99%

Investigating GDPR Fines in the Light of Data Flows

Saemann

Theis²,

Urban³

et al. 2022

PoPETs

View full text Add to dashboard Cite

While GDPR related fines to big companies like Amazon or Google have seen widespread media attention, data protection authorities have issued several hundred more penalties since 2018. This work analyzes 856 fines and their summaries provided by the CMS Law GDPR Enforcement Tracker. We extend the methodology of previous work that evaluated GDPR fines and, in particular, explore the fines in the light of data flows and we perform a detailed categorization. Our analysis shows that it is a combination of technical and organizational issues that are involved when a fine is imposed. Moreover, data protection authorities more often react to data subjects’ complaints when data breaches become public and when health-related data is involved. We further show that the root causes for fined data processing lie in the early data life cycle phases (e.g., data collection). Here, organizational problems are more prevalent (601 fines) than technical issues (314 fines), while technical issues are mentioned more often in later life cycle phases (e.g., retention, access and usage). Especially mistakes in the early phases of the data collection process (e.g., lacking a legal basis) and unauthorized disclosure in later phases are fined. We cluster the most frequent words and analyze relations to understand where data controllers put personal data at risk. The results confirm that access management is a common problem that results in the unintended disclosure of data.

show abstract

“…Considering the GDPR (Article 83) [1], non-compliance can lead to fines of up to 20 million euros or up to 4% of a company's worldwide annual turnover, whichever is higher. Studies also indicate an increasing number of fines based on the GDPR since its publication [5], [6], with the largest fine imposed by the Luxembourg's Data Protection Authority against Amazon (746 million euros) in July 2021 [7]. This scenario has forced many organisations to adapt and implement new privacy practices to achieve regulatory compliance and, most importantly, to respect people's privacy when developing and applying new technology [3], [8], [9].…”

Section: Introductionmentioning

confidence: 99%

Organisational Privacy Culture and Climate: A Scoping Review

Iwaya

Fischer‐Hübner

et al. 2022

IEEE Access

View full text Add to dashboard Cite

New regulations worldwide are increasingly pressing organisations to review how they collect and process personal data to ensure the protection of individual privacy rights. This organisational transformation involves implementing several privacy practices (e.g., privacy policies, governance frameworks, and privacy-by-design methods) across multiple departments. The literature points to a strong influence of the organisations' culture and climate in implementing such privacy practices, depending on how leaders and employees perceive and address privacy concerns. However, this new hybrid topic referred to as Organisational Privacy Culture and Climate (OPCC), remains poorly demarcated and weakly defined. In this paper, we report a Scoping Review (ScR) on the topic of OPCC to systematically identify and map studies, contributing with a synthesis of the existing work, distinguishing core and adjacent publications, research gaps, and pathways of future research. This ScR includes 36 studies categorised according to their demographics, research types, contribution types, research designs, proposed definitions, and conceptualisations. Also, 18 studies categorised as primary research were critically appraised, assessing the studies' methodological quality and credibility of the evidence. Although published research has significantly advanced the topic of OPCC, more research is still needed. Our findings show that the topic is still in its embryonic stage. The theory behind OPCC has not yet been fully articulated, even though some definitions have been independently proposed. Only one measuring instrument for privacy culture was identified, but it needs to be further developed in terms of identifying and analysing its factors, and evaluating its validity and reliability. Initiatives of future research in OPCC will require interdisciplinary research efforts and close cooperation with industry to further propose and rigorously evaluate instruments. Only then OPCC would be considered an evidence-based research topic that can be reliably used to evaluate, measure, and embed privacy in organisations.

show abstract

An analysis of violations and sanctions following the GDPR

Cited by 15 publications

References 20 publications

In/acceptable marketing and consumers' privacy expectations: four tests from EU data protection law

In/acceptable marketing and consumers' privacy expectations: four tests from EU data protection law

Investigating GDPR Fines in the Light of Data Flows

Organisational Privacy Culture and Climate: A Scoping Review

Contact Info

Product

Resources

About