ABSTRACT The General Data Protection Regulation (GDPR), which went into effect in May 2018, enabled European Data Protection Authorities (DPAs) to fine companies up to 4 percent of their annual revenue in the event that they were found in violation of the regulation's requirements for data collection, processing, and use. But the regulation gave DPAs considerable leeway to determine how they would implement these penalties. This article analyzes 261 publicly available GDPR enforcement orders issued by DPAs during the first 24 months of the GDPR implementation. The findings show that most GDPR fines levied so far have been relatively small, many of them within the thresholds set by earlier laws prior to the GDPR. Additionally, only half of the GDPR articles for which penalties are designated have actually resulted in public enforcement actions, and those fines that have been levied focus primarily on violations of five particular articles, four of which pertain primarily to user privacy protections. However, despite the fact that most of the fines issued under the GDPR have been in response to privacy violations, the largest fines have been triggered by security incidents, and, on average, security violations still receive larger fines than privacy violations.

中文翻译：

---

早期 GDPR 处罚：截至 2020 年 5 月的实施和罚款分析

摘要 2018 年 5 月生效的《通用数据保护条例》(GDPR) 使欧洲数据保护机构 (DPA) 能够对发现违反法规要求的公司处以高达其年收入 4% 的罚款用于数据收集、处理和使用。但该法规为 DPA 提供了相当大的余地来决定他们将如何实施这些处罚。本文分析了在 GDPR 实施的前 24 个月内由 DPA 发布的 261 项公开可用的 GDPR 执行命令。调查结果表明，迄今为止征收的大多数 GDPR 罚款都相对较小，其中许多罚款都在 GDPR 之前的早期法律规定的阈值之内。此外，只有一半被指定处罚的 GDPR 条款实际上导致了公共执法行动，而被征收的罚款主要集中在违反五项特定条款，其中四项主要与用户隐私保护有关。然而，尽管根据 GDPR 开出的大多数罚款都是针对侵犯隐私的，但最大的罚款是由安全事件引发的，而且平均而言，安全违规仍会比隐私违规受到更大的罚款。