European data protection authorities step on the gas – and there is more to come

Philipp Rosenauer Partner Legal, PwC Switzerland 29 Oct 2020

As recently as last year, the number of large fines based on the General Data Protection Regulation (GDPR) increased steadily. However, since the outbreak of the corona crisis, European data protection authorities appear to have stepped on the brakes relating to GDPR enforcement actions. But it looks like things are starting to move again...

Since the onset of the corona crisis in February 2020, European data protection and thus the prosecution of GDPR violations seem to have been pushed aside. In contrast to the previous practice of high fines at more or less regular intervals, we have only seen a small number of fines over the one million threshold during the last eight months from February to September. Instead, the authorities tended to concentrate (with a handful of exceptions) on less significant infringements.

However, since the beginning of October there have been clear indications that practices across Europe are becoming stricter again and that companies should once more become more vigilant against GDPR breaches. The warning signals in this respect are as follows:

Major new fine

For the first time in several months, two fines of over 10 million euros were imposed. On the one hand, H&M was ordered to pay a fine of 35 million euros by the Hamburg data protection commissioner (HmbBfDI) at the beginning of this month. The main reason was the illegal surveillance of employees in a service centre in Nuremberg. On the other hand, the British data protection authority ICO became active too. British Airways was imposed a fine of equivalent to 22 million euros, taking into account the unique situation of the company, which is in the midst of the corona crisis. Otherwise, the fine may have been even higher.

New cases and other activities 

But not only punishments were imposed. In addition, several European data protection authorities have opened new cases in the past month. For example, as one of many cases, the Irish data protection authority announced that it is investigating Facebook after receiving several complaints about the way its subsidiary Instagram handles personal data of children and young users.

Additionally, there are multiple other areas in which data protection authorities are moving forward. Although these have no direct legal significance or financial consequences, they are likely to be important for the future development of data protection in Europe.

For example, the role of Microsoft (and in particular its Office 365 programme) is currently being examined by various international data protection authorities. In particular, the German data protection conference DSK (an association of the German data protection authorities) agreed at the beginning of October to an evaluation paper that not only criticises the individual programme Office 365 as being in breach of data protection laws, but ultimately shows that even the use of Office 365 is in itself always in contradiction to the GDPR.


In summary, despite the corona crisis, data protection authorities remain active. Major companies, especially those operating in the EU, must now again pay close attention to GDPR compliance. Otherwise, there is a risk of being penalised – especially since the authorities will not be less productive despite the corona crisis.

Contact us

Philipp Rosenauer

Philipp Rosenauer

Partner Legal, PwC Switzerland

Tel: +41 58 792 18 56