First GDPR Cases Begin Working Through EU Enforcement Agencies

The U.K. privacy watchdog is dealing with its first general data protection regulation cases, but "it's too early to speculate on enforcement action," an Information Commissioner's Office spokesperson emailed Wednesday. The ICO started using its "powers of assessment and audit in order to begin looking at certain organisations' data protection practices." French data protection agency CNIL (Commission Nationale de l'Informatique et des Libertes) said it hasn't yet issued fines based on the GDPR. With the regulation having taken effect May 25 (see 1805230001), "the complaints brought before the CNIL in relation to the GDPR are currently in a trial phase and we do not yet know when the CNIL will deliver its decisions," a spokesperson emailed. No enforcement issues have arrived at the European Data Protection Board, a spokeswoman told us. The EDPB is involved only if there's a cross-border dimension that requires national supervisory authorities to work together to ensure the GDPR is consistently applied, she said. Under that mechanism, the board issues opinions or, if there's a dispute between national data protection authorities, binding decisions to arbitrate. "It's the calm before the storm," emailed Hogan Lovells (London) data protection attorney Eduardo Ustaran.