Since the regulation came into force, Europe’s data protection authorities (DPAs) are quite busy carrying out audits, issuing warnings, and imposing fines, including penalties worth tens of millions of euros. Nevertheless, some DPAs declare that, so far, they have been more focused on raising stakeholders’ awareness, implementation, and working with businesses and organizations to become GDPR compliance. Put differently, DPAs have yet to deploy their full enforcement capacities, and we’ll likely see them get closer to doing so in the upcoming years.
Several DPAs have endorsed various instruments to encourage enforcement activities. In contrast, others have stated that they aspire to intensify their interventions using new powers, resources, and intelligence to take decisive action against non-compliant businesses and organizations.
The GDPR has made the citizens more aware of their rights and data protection rules, so DPAs across the continent receive more and more complaints from regular citizens about various data breaches. The growing awareness has led to more DPA interventions and a rise in civil proceedings, which we expect to increase even further.
According to the GDPR, data subjects have a wide range of ways to seek redress. They can turn to their country’s DPA and the civil courts simultaneously or go to the court after complaining in front of the DPA. Even more, besides acting individually, data subjects can join in group litigation backed by numerous privacy consumer groups.
It’s safe to say that the trend of GDPR-related civil claims is emerging across the EU. In many member states, businesses and organizations that made data breaches face civil lawsuits and regulatory fines. These risks for organizations are expected to become even more significant when the EU enacts its draft directive for representative action to protect the collective interests of consumers.