Dutch DPA struggling to collect GDPR fines outside the EU
The Dutch data protection authority (DPA) can hardly collect fines given to businesses and organizations outside the European Union (EU).
That’s the main conclusion of an investigation that was conducted by a scientist through the European Data Protection Board’s (EDPB) expert pool, the Autoriteit Persoonsgegevens (AP) confirms.
The report focuses on the United States, because American courts are often unwilling to recognize and enforce fines that are imposed by foreign regulators.
According to the report, there are little to no opportunities for the Dutch DPA to enforce its decision outside the European Economic Area (EEA). “For this there is no basis in international law and practice shows that judges in the US will almost never recognize a fine from a third country,” the report says.
This is what happened in the case of Clearview AI, an American tech company that offers facial recognition technology to law enforcement agencies worldwide. The company uses scraping software to compile a facial database, which according to experts currently has over a hundred billion photos. However, the company never asked for permission from users, which is a violation of European privacy laws.
In 2022, data protection authorities from France, Greece and Italy imposed hefty fines onto Clearview, amounting to €20 million. However, these fines haven’t been paid thus far.
The same thing happened with LocateFamily.com, a website that tries to reconnect family members who’ve lost contact with each other.
The Dutch DPA received dozens of complaints from people who had no idea how their names, addresses, phone numbers and other personal information ended up on the LocateFamily.com website, let alone they consented to this. For this GDPR violation the Dutch DPA imposed a fine of €525,000 in May 2021, but was also never paid.
The results of the report have been discussed by the Dutch DPA. The privacy supervisor decided to send a letter to the House of Representatives, telling them that the current possibilities to collect GDPR fines -including labeling privacy-related offenses as economic crimes, seizing a trade or brand name, recovering investigation costs, and civil proceedings- are insufficient.
In the past, the AP has given this conundrum a lot of thought and came up with several solutions. Besides implementing international treaties, making it mandatory to appoint a European representative when non-European companies collect and process personal data of Europeans could help in the collection of imposed privacy fines. Targeting CEOs of companies that do not employ a European representative is another measure the Dutch DPA has been considering.
Your email address will not be published. Required fields are marked