“National data-protection authorities have adopted a balanced approach to enforcement powers,” said the commission, according to the Financial Times. “They have focused on dialogue rather than sanctions, in particular for the smallest operators which do not process personal data as a core activity.”
The GDPR allows the EU’s 28 national regulators to fine companies as much as 4 percent of their annual revenues or 20 million euros — whichever is the larger — if they don’t comply with rules designed to protect user data.
In the year since the regulation went into effect, $62.6 million in fines have been imposed, with 200,000 investigations into breaches being carried out. The largest sanction to date was handed down by France’s data protection authority, which imposed a 50 million euro fine on Google after the tech giant failed to provide its users with enough information about how it processes their data.
Ireland’s regulator, however, has been criticized because it hasn’t handed out any fines despite the fact that it oversees companies such as Apple and Facebook. But Brussels defended the Irish data protection office, pointing out that it has launched 15 investigations into international companies under the GDPR.
“The success of the regulation should not be measured by the number of fines imposed, but by changes in the culture and behavior of all actors involved,” the commission said.
In fact, the EU wants regulators to look beyond fines when enforcing GDPR, such as ordering temporary bans on the processing of data by companies. It also explained that regulators want to ensure it has a strong case before doling out a massive fine.
“It is essential that data protection authorities gather relevant evidence, respect all procedural steps under national legislation and ensure due process in often complex files,” said the commission. “This requires time and involves a significant amount of work, which explains why most of the investigations launched after the entry into application of the regulation are still ongoing.”