Companies do not fear GDPR violations, noyb claims

Businesses and organizations in violation of the General Data Protection Regulation (GDPR) have nothing to fear from data protection authorities (DPAs).

That’s what noyb says in a recently published article about the myths surrounding data protection and privacy.

The Austrian privacy interest group debunks several misconceptions people have about data protection. One of them is that companies need to fear sanctions issued by DPAs.

Perhaps they should, but the reality is harsh and shows us a different picture. A recent analysis of DPA activity between 2018 and 2023 shows that only 1.3% of cases result in a fine. To make matters worse, the Data Protection Commission (DPC), Ireland’s privacy and data protection authority, which is responsible for major tech companies like Apple, Google, and Meta, imposes a fine in only 0.26% of the cases it handles.

On top of that, the DPC hardly collects money from companies in violation of the GDPR. This is backed by an analysis by The Irish Times earlier this month, stating that commercial businesses, political entities, and other organizations owe the DPC approximately €4 billion.

The reason why the DPC has failed to collect the fines it levied is that the majority of the companies have appealed the data protection authority’s ruling in court. Because of this, fines can’t be collected until a judge renders a verdict, legislation says.

In recent years, noyb has filed more than 900 cases, some of which took years to resolve. In the end, some of the companies involved only received a warning for violating the GDPR. In some cases, privacy regulators even appear to assist the accused company, according to noyb.

The privacy organization, therefore, believes it is a misconception that companies fear serious consequences for violating Europe’s privacy laws.

Another misconception about data protection is that the GDPR forces companies to use cookie banners.

“The GDPR doesn’t force websites to use cookie banners. Instead, companies are required to obtain your explicit consent if they want to track your online movements. Typically, this is done to show you personalized advertisements based on your interests. Companies choose to ask for your consent with cookie banners and are often blaming the GDPR for it,” noyb says.