What are GDPR Fines
Ever since the enforcement of the General Data Protection Regulation (GDPR) (read our guide), many organizations have found themselves in trouble with the law. Factors they have ignored while handling the personal data of people came back to bite them. Following complaints from people and associations, years of violations, unintentional and intentional, were uncovered and brought in light by several data protection authorities. Some organizations got away with lighter GDPR fines and penalties, while others were not so lucky.
Non-compliance with the law will result in hefty GDPR fines or strict actions, depending on the violation. Severe violation will subject to 4% of annual global turnover or €20 million – whichever is higher. Less severe violation will subject to 2% of annual global turnover or €10 million – whichever is higher. Other actions include written warning, temporary or permanent ban, data deletion, and restriction on data transfers. Ultimately this leads to a loss in trust and reputation of the organizations in question.
Read more about GDPR fines for non-compliance here.
This article highlights some of the most prominent GDPR violation examples that resulted in eye-watering GDPR fines.
Biggest GDPR Fines
Here are some of the organizations that violated GDPR and faced huge GDPR fines.
Marriot International Inc.
In November 2018, Marriot International notified Information Commissioner’s Office(ICO) – the UK data protection regulatory body – about a cyber-attack, which affected approximately 339 million guest records. Personal data, including payment details and passport numbers, of around 30 million records related to the European Economic Area (EEA) residents and 7 million related to UK residents were exposed.
The attack began in 2014 in Starwood Hotels’ records, which was later acquired by Marriot in 2016. Marriot discovered the hack in September 2018 but waited till November to report it, which is a violation of GDPR. The Regulation requires the data controllers to report a data breach within 72 hours of becoming aware of it. On top of that, ICO’s investigation uncovered that Marriot did not take enough measures to ensure safety when it bought Starwood.
ICO fined the hospitality company £99,200,396 for the violation.
Read the official statement from ICO here.
In September 2018, British Airways (BA) reported ICO of a breach of personal data of approximately 500, 000 of its users. The hackers stole user data, including names, addresses, credit card details, and booking details of passengers after diverting users to a fraudulent website. Even though BA reported the incident, ICO found in its investigation that the poor security management caused the leak. In July 2019, they fined BA with a whopping £183.39 million.
Read the official statement from ICO here.
Deutsche Wohnen SE
In October 2019, the Berlin Data Protection Authority (DPA) fined the German real-estate company of violating GDPR standards. They were accused of storing personal data of tenants in their archiving system that did not allow the deletion of data that was no longer necessary. The DPA audited the company in 2017. They found that Deutsche Wohnen stored personal data of tenants without checking whether they were necessary. These data included payslips, self-disclosure forms, extracts from employment and training contracts, tax data, social security, and health insurance data and bank statements. Following this, DPA conducted another audit in March 2019 that uncovered that the company still has not adopted enough measures to mitigate the violation.
The DPA fined the company €14.5 million for violation of Articles 5 and 25(1) of GDPR. The global turnover of Deutsche Wohnen SE in 2018 was more than one billion euros. So the maximum scope of the fine was €28 million. However, the Berlin DPA considered the fact that they did not misuse any of the personal data and fully cooperated with the investigation.
In addition, the Berlin data protection commissioner enforced further fines of between €6,000 and €17,000 for the storage of personal data of tenants in 15 individual cases.
On January 21, 2019, France’s CNIL fined Google €50 million for failing to get valid consent from the users for personalized ads. CNIL found that the tech giant violated Articles 12 and 13, i.e., lack of transparency. Google failed to inform users before processing their personal data. Another violation was of Article 5, i.e., the legal basis of processing. The company was unable to prove a lawful basis for processing. The consent request was not specific.
AEPD, the Spanish Data Protection watchdog, fined the top division of Spanish football, La Liga, €250,000 for violating GDPR principles. LA Liga’s mobile application that advertised to deliver live scores, commentary, highlights, and news allegedly also had a “spy mode” that discretely turns on the users’ microphone. The sound bites from the microphones were then used to identify their location, and to determine whether they are streaming live matches through pirated means. The spy mode was not an advertised feature of the app.
Per AEPD, La Liga violated Article 5 (1) – they failed to be transparent about this feature and used users’ data without informing them. La Liga should have notified users every time before the app starts recording. They also violated Article 7(3) – failed to provide an option to withdraw user consent when consent is used as the legal basis for processing. The app does not offer any means for users to revoke their consent to stop the recording after the initial consent requests.
In October 2018, ICO imposed Facebook (FB) a fine of £500,000, highest at that time, for its role in the Cambridge Analytica scandal. Cambridge Analytica, a British political consulting firm, got hold of millions of people from their FB profiles without their consent and used them for the 2016 US election campaign. ICO launched the investigation in 2017.
This was the maximum fine the data authority could impose per the old data protection law at that time. It could have been massive (4% of FB’s global turnover) if GDPR were in effect when the investigation started. It would have become the largest of GDPR fines to date.
ICO and FB have come into a settlement – they will withdraw their respective appeals. The social media giant has agreed to pay the fine but refused to take any liability.
As GDPR itself emphasizes, data matters. You should treat them with care and try to be user-centric. You might save yourself from the trouble of dealing with GDPR fines!