When in 2020 the UK Information Commissioner’s Office (ICO), made headlines with the monumental fines it imposed on British Airways and hotel chain Marriott for data breaches under the GDPR, concern was raised about just how high these fines could get.
In theory, according to the legislation the fine for a personal data breach can measure up to 4% of the company’s annual global turnover or up to €20 million, whichever is higher. In practice, regulators (so far) have not gone as far as imposing the maximum fine, nevertheless, it appears the sums are on an upward trend.
- The first truly eye-catching GDPR fine since its implementation in May 2018 was levied by the French regulator, CNIL, against Google for €50 million following complaints from Austrian activist Max Schrems’ organisation ‘NOYB’ and French NGO ‘La Quadrature du Net’. The case was based on how Google communicated its privacy policy and obtained consent from its users. According to CNIL, consents given by users were not specific and not unambiguous – a decision which was upheld on appeal.
Whilst not all ensuing fines were of the same caliber as the first hit, it appears as though this move could have given DPAs the confidence to issue bolder fines to companies of all sizes.
- In 2019, Italian authority Garante fined Eni Gas e Luce, an oil and gas company €8.5 million for processing customers personal data without a legal basis in order to make marketing phone calls.
- Garante also served the next splashy fine under the GDPR in 2020 to TIM, an Italian telecommunication company, at €27.8 million. The Italian regulator made this decision following hundreds of complaints concerning several breaches such as aggressive marketing strategies, in particular unsolicited commercial communications and communications to individuals who had explicitly revoked such consent. In one case, TIM had contacted a single individual 155 times over the course of a month. Additionally, the company was obtaining invalid consents for data processing and exceeding data retention regulations. The authorities cited the incessant nature of the communications as an aggravating factor when assessing the final sum.
- Similar issues with obtaining valid consent for commercial communications cost another Italian telecoms company €16.7 million. Wind Tre’s customers notified the authorities of the concerning fact that not only were they receiving unsolicited communications by several mediums, but they also could not unsubscribe due to an issue with the company’s Data Protection Policy.
The end of 2020 saw some of the highest and most headline-grabbing fines to date.
- The Data Protection Authority of Hamburg imposed a monumental €35.2 million fine on retail brand H&M for recording extensive details about their employees’ private lives over several years. This information was gathered from welcome back interviews conducted following absences or sick leave, but also from casual conversations on the floor and video recordings of their activities. While this excessive data collection greatly encroached on H&M’s employees’ civil rights, the company also demonstrated unprecedented corporate responsibility and accountability during and after the investigation by cooperating closely with the DPA. This served in their favour in the determination of the final sum.
- In perhaps the most shocking ICO decision at the time, British Airways was faced with a whopping 189.39 million GBP fine following a cyber attack which left data of 500,000 customers compromised. The attack appeared to be financially motivated and went undetected for two months, which led the regulator to list potential financial loss, potential exploitation by hackers due to access to personal data, distress and other inconveniences as possible consequences for the affected individuals. However, ICO finally reduced the fine to €22.05 million due to the impact of COVID-19 on the financial situation of the company in 2020.
- Not long after the sky-high BA case, the ICO issued an intention to fine hotel chain Marriott 99.2 million GBP for a cyber incident which led to approximately 339 million guest records globally becoming exposed. While the vulnerability most likely originated in the systems of the Starwood hotel group, which Marriott later acquired, the latter should have done appropriate due diligence according to the British regulator. Similarly to the previous massive fine, this one too was substantially lowered after considering all mitigating factors – the hotel chain finally paid €20.45 million. Marriott’s full cooperation with the DPA, previous investments made to improve security and the adverse impact of the pandemic on business all contributed to lowering the final sum.
- Coming just two weeks after Marriott, Garante’s €12.25 million fine on Vodafone Italia almost seems too low to figure on this list. However, it is still the third highest fine on a telecommunications company to date and a substantial one for just a national branch. Vodafone unlawfully processed customers’ personal data to make commercial calls without obtaining valid consent to do so, used fake numbers to make promotional calls and did not manage data securely for 15 years. When settling on the final sum, the Italian DPA took notice of the particular pervasiveness of the unsolicited communications despite full knowledge by the company that said actions constitute data protection breaches.
In the late summer of 2021, just two fines caused the cumulative sum of all GDPR fines since the beginning of its enforcement in 2018 to quadruple.
- The Luxembourg DPA fined Amazon a colossal €746 million for issues regarding cookie consent. Whilst not many details have been divulged about this case, it has been made crystal clear from the start that Amazon feel the allegations are without merit. It is in fact due to the ongoing appeal that the regulator has not yet been able to publish its fine decision. It may prove difficult for the e-commerce giant to clear their name in this appeal, but it is entirely likely the massive fine will be reduced, as was previously the case with British Airways and Marriott.
- Last but not at all least, the most recent mega-fine at €225 million was levied against WhatsApp, not long after the headline-grabbing Amazon case. The Irish DPA (DPC) surprised the world with its decision, as it had previously not been very active in GDPR enforcement, and any fines given were certainly grains of sand compared to this mountain. According to the DPC, the issue lies in WhatsApp’s transparency and accessibility of information within their privacy notices, in particular regarding an unclear legal basis for certain data processing. This second highest fine to date, a product of eight other supervisory authorities stepping in to argue for a much higher sum than what the DPC originally intended, may still be significantly reduced after the conclusion of WhatsApp’s ongoing appeal.
These last off the charts penalties reminded the world that the GDPR has teeth and that even regulators that are not typically very active enforcers should not be underestimated. This may ring especially true for all the massive international companies with their offices in Ireland and hopefully encourage these giants to take significant steps to improve their data privacy policies.
On the other hand, incredibly high fines such as that on Amazon and WhatsApp can create an air of uncertainty and inconsistency around the enforcement of the GDPR as fines become much harder to predict.
What is becoming apparent though, is the lack of intimidation of EU regulators by huge subjects and that the tendency is for authorities to grow bolder in their decisions showing the true power of the GDPR.