The GDPR: past, present, and future…25 May 2022
From humble beginnings in May 2018, when a pharmacy in North London was fined £275,000 for carelessly storing documents containing patient data… fast forward to May 2022, where we now see huge fines across most sectors. It is fair to say that the General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws.
In its first four years more than 900 fines were issued under the GDPR regulations, totalling over €1.5 billion. Remember, Supervisory Authorities can impose fines of up to up to €20 million or 4% of worldwide turnover for the preceding financial year – whichever is greater.
No sector is immune to these fines, here are just a few of the ‘A’ listers.
GDPR fines in Retail
Amazon: €746 million
This huge fine was listed in the company’s July 2021 earnings report. The fine is the second time Amazon has been penalised for the way it collects and shares data via cookies.
H&M: €35 million
In October 2020, the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 for violations relating to data minimisation because of how they ‘monitored employees’.
Notebooksbilliger.de (NBB): €10.4 million
German electronics retailer notebooksbilliger.de (NBB) were fined in January 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers. While the use of CCTV is not prohibited under the GDPR, it must be used for a legitimate and proportionate response to a specific problem.
REWE International: €8 Million
The Austrian food retailer, REWE International, was fined after the misuse of data involved in its loyalty program. The company had been collecting users’ data without their consent and using it for marketing purposes.
Foodinho: €2.6 million
The Italian Data Protection Authority, Garante, fined groceries delivery service Foodinho in June 2021, for failing to follow the requirements on ‘automated processing’. The delivery service was using an algorithm to determine employees’ wages and workflow. Any AI-driven decisions about people that could impact their finances, employment, or access to services, must include a human review of such decisions.
GDPR fines in Telecommunications
Cosmote Mobile Telecommunications: €6 Million
The fine was issued by the Greek DPA, Hellenic Data Protection Authority (HDPA), after a hack in September 2020 resulted in customers’ confidential information being compromised. It was revealed that the company was illegally processing customer data, which was not fully pseudonymized, making it easier for cybercriminals to identify individuals from the data.
Wind: €17 million
Italian Data Protection Authority (DPA) issued a fine of €16,729,600 on telecoms company Wind due to unlawful direct marketing activities. The regulator found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.
Vodafone Italia: €12.3 million
Vodafone Italia’s November 2020 fine was given because the company failed to properly secure customer data, shared personal data with third-party call centres, and processed data without a legal basis. This was closely followed in March 2021 by…
Vodafone Spain: €8.15 million
This Vodafone fine stands as Spain’s largest fine where the Spanish Supervisory Authority (AEPD) issued many substantial penalties. The fine results from 191 separate complaints regarding Vodafone’s marketing activity.
GDPR fines in Energy
Enel Energia: €26.5 million
In January 2022, Garante, the Italian DPA fined the multinational electric and gas supplier for failing to get user consent or inform customers before using their personal data for telemarketing calls.
Eni: €8.5 million
Eni Gas e Luce (Eni) was fined twice for making marketing phone calls without a proper legal basis. There was an earlier instance where they were fined €3 million in 2019. Telemarketing is covered by the ePrivacy Directive, but this demonstrates how processing personal data without a proper legal basis can lead to a GDPR fine.
Iren Mercato: €2.85 million
In June 2021, Iren Mercato was fined because a third-party marketing company was acting as their data processor and obtaining personal data without proper consent.
GDPR fines in Transportation
British Airways: €22 million
In 2018 British Airway’s systems were compromised. The breach affected 400,000 customers details including payment card information, and travellers’ names and addresses.
GDPR fines in Banking and Finance
Caixabank: €6 million
BBVA (bank): €5 million
The Spanish Supervisory Authority, AEPD, fined the bank for sending SMS messages without obtaining consumers’ consent.
Dutch Tax and Customs Administration: €3.7 Million
In April 2022, the Dutch Tax and Customs Administration was fined for illegal processing of personal data of around 270,000 people onto the Fraud Signalling Facility (FSV) blacklist.
National Revenue Agency (Bulgaria): €2.6 million
In 2019 the Agency suffered a data breach affecting 5 million people. The breached data included people’s names, contact details, and tax information. The Bulgarian DPA found that the agency failed to take effective technical and organisational measures to protect the personal data under its control.
GDPR fines in Healthcare
Capio St. Göran AB: €2.9 million
The fine followed an audit that revealed that the healthcare provider had failed to carry out appropriate risk assessments and access controls resulting in many employees having access to sensitive personal data.
GDPR fines in Hospitality
Marriott: €20.4 million
383 million guest records were exposed after the hotel chain’s guest reservation database was compromised. The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack was not detected until September 2018. The UK Supervisory Authority (ICO) found that Marriott failed to perform adequate due diligence after acquiring Starwood.
GDPR fines on Social media platforms
WhatsApp: €225 million
The messaging service had failed to properly explain its data processing practices in its privacy notice.
Facebook: €60 million
The social media platform received this fine for failing to obtain proper cookie consent from its users.
Meta (Facebook) Ireland: €17 Million
In March 2022, the Irish Data Protection Commission (DPC) fined Meta Platforms Ireland because it could not demonstrate the security measures it had in place to protect users’ data.
Google Ireland: €90 million
Fined for its cookie consent procedures on YouTube.
Google LLC: €60 million
Google LLC fined on the same day for the same reason but in relation to its website rather than YouTube.
Google: €50 million
The case related to how Google provided privacy notice to its users—and how the company requested their consent for personalized advertising and other types of data processing.
Finally for the present
Some of the biggest fines involve marketing activities. However, in addition to the failure to comply with people’s right to object and removal of personal data when requested, there is also the unlawful requirement to have biometric data recorded, shown here in the Clearview example.
Clearview AI: €20 Million
Fined for unlawful processing of personal biometric and geolocation data, and the breaching of several principles of the GDPR. These include purpose limitation, and storage limitation.
The GDPR has been a leader where other countries have followed. The California Consumer Privacy Act (CCPA) came into force in 2020, and the more expansive California Privacy Rights Act (CPRA) will replace it in 2023. Brazil has introduced the LGPD, and India has the long-awaited Personal Data Protection Bill (PDP), while China has the Personal Information Protection Law. The list continues but it demonstrates that data protection is now at the forefront of everyone’s mind.
Financial and security regulations are aligning. Penalties are no longer the sole domain of Data Protection Supervisory Authorities but could come from any regulator. The Financial Conduct Authority fined Tesco £16.4 million for failing to protect customers’ accounts and not doing enough to prevent financial crime.
We also see an increased desire to control Big Tech, for example the German Data Protection Commissioner insisting government organisations shut down Facebook pages, and the Online Safety Bill in the UK, seeking oversight to tackle harmful online content.
Let’s not forget that regulations are often challenged, and the Schrems II judgement has led to massive changes in the international transfer of personal data.
Data protection and privacy regulations are now part of everyday life but watch this space because it is an evolving landscape.
Building cybersecurity awareness, especially in relation to emerging threats and GDPR, is the backbone of TSC’s offering. No matter the attack service or platform, TSC’s service will ensure your employees are aware and knowledgeable of the threats they will come across.
If you would like more information about how The Security Company can support you to minimise the risks your organisation is facing, please contact Jenny Mandley.