Five months have passed since May 25 when the General Data Protection Regulaton (GDPR) became applicable in the European Union. Data controllers and processors struggled a lot to be ready for the application of the rules of the GDPR. However, there are several rules in the GDPR that leave space for interpretation and maneuvering. Besides the general guidelines and opinions issued by the European Data Protection Board and the national data protection authorities, decisions in individual cases can serve as compass in finding the right direction when the provisions of the GDPR are applied.
Of course, it took time until the first decisions and judgments were issued under the GDPR but from now on, we may expect more and more decisions and judgments that can shape the data protection practice throughout the EU.
One of the most frequently mentioned novelties of the GDPR is the extremly high amount of administrative fines that can be imposed by the national authorities in case of the violation of the data protection rules. For that very reason, expectations are very high regarding the first decisions imposing fines on data controllers and processors. And here we are, the first resolutions on fines are out.
The Austrian Data Protection Authority issued its first fine under the GDPR against an entrepreneur that had installed a CCTV camera in front of its establishment that also recorded a large part of the sidewalk. Besides this, transparency provisions were also infringed since signs regarding the video surveillance were not sufficient. The amount of the fine was EUR 4,800.
One of the reasons behind the adoption of the GDPR was to reach a more standardized application of the data protection rules within the EU. The Regulation is directly applicable in the Member States and the European Data Protection Board was set up in order to contribute to the consistent application of the GDPR throughout the EU (consistency mechanism). The Board may also pass binding decisions to resolve disputes among data protection authorities.
However, it seems that despite of the efforts to have consistency in the application of the GDPR, derogations in the interpretation of the rules between Member States seems to remain an issue in the future. Recently, the Italian and the Austrian Supreme Courts draw different conclusions regarding the interpretation of bundled consents (Section 7(4) of the GDPR). According to the Austrian Supreme Court, no exceptions can be accepted from the prohibition of bundled consents. On the other side, the Italian Supreme Court found that bundled consents may be acceptable if data subjects have the possibility to obtain the same services from other service provider, i.e. they are free to choose between the services with or without further data processing.
Hopefully, the number of contradictory decisions will decrease but it will take time and many decisions by the European Data Protection Board and the European Court of Justice (ECJ) will be necessary to reach the goal of consistent application of the data protection rules in Europe.