Yes. But there is too few of them, and usually in situations where other companies can still wait and see. "We aren't Facebook", "We are too small to be noticed" and "but we had them sign a waiver" are still prevalent in most companies.
For things to change, there would really need to be something like:
- data protection fines the whole of the customer list of Amazon/Google/MS cloud
- data protection fines a high-profile company a lot of money for using Office365
- a court forces a public institution to cease using Office365 (no fines possible there)
- enforcement accelerates to a point where, from complaint to fine, things take only a few weeks, instead of a few years, so that lots of medium and smaller businesses are hit. Currently enforcement seems to be starting with the big cases, and being bogged down in the complexity of those.
There's nothing wrong with persecuting the large perpetrators first, and only going into the smaller ones once the large get under control. In fact, it's the cost-effective way of doing it.
Besides, the GDPR is not extremely clear, so setting the boundaries in a very public way is a good thing.
Don't know about Norway. But whether fines apply to public institutions is up to the member states, and most member states, including Germany, have decided not to fine their public institutions for GDPR violations.
> have decided not to fine their public institutions for GDPR violations
Because they’re too Byzantine to make enforcement practicable, or because they’re not seen as a privacy risk (the government in Germany should know lots about you), or something else?
The official argument is that fining public institutions is a game of taking from the right pocket to put in the left pocket. It's the state fining itself. Also, officially, public servants are thought to obey the law as a matter of cause. A certain interpretation of the law can just be made an official order to all subordinate government agencies, and any civil servant disobeying that interpretation is at fault for not performing their duties and treated accordingly.
However, that all leads to the obvious workarounds: the official interpretation is usually the most lenient possible, compliance is put off to some time next century due to lack of personell/budget/willpower. And if something is found to be amiss, the data protection officer may order a government agency to fix whatever is wrong, but can neither fine nor discipline a civil servant. Because disciplining is up to the direct disciplinary superior, which cannot be (due to them being independent) the data protection officer.
For things to change, there would really need to be something like:
- data protection fines the whole of the customer list of Amazon/Google/MS cloud
- data protection fines a high-profile company a lot of money for using Office365
- a court forces a public institution to cease using Office365 (no fines possible there)
- enforcement accelerates to a point where, from complaint to fine, things take only a few weeks, instead of a few years, so that lots of medium and smaller businesses are hit. Currently enforcement seems to be starting with the big cases, and being bogged down in the complexity of those.