2019, 2020, 2021, and 2022 (to date)
Enforcement & Fines
To illustrate the scope and enormity of GDPR, what follows is a collection of the top 25 judgments and subsequent fines related to GDPR violations. Each provides context for the violation, root cause, and how each could have been avoided.
NOTE: The remedies listed here are summarizations of research findings. As such, there is a limit to the amount of detail and context that can be provided. For a deeper look, please continue to the next post (link provided at the bottom of the page).
1. Amazon — €746 million ($877 million)
WHAT: The full reason behind the fine has yet to be confirmed, but what IS known is that it is related to "cookie consent."
CAUSE/REMEDY: Amazon needed only to obtain freely given, informed, unambiguous opt-in consent before setting cookies on its users' devices.
2. WhatsApp — €225 million ($255 million)
WHAT: The messaging service failed to properly explain its data processing practices in its privacy notice. At the time, it described the purpose of its data collection and processing only as "legitimate interest" with no further clarification.
CAUSE/REMEDY: This sort of vague language and legal-type speech is not acceptable in a user-facing notice, the intent of which is to inform the user of how his/her data will be handled. WhatsApp should have provided privacy information in detail, in language easily understood by all users.
3. Google Ireland — €90 million ($102 million)
WHAT: Google's European arm is responsible for cookie consent on YouTube. YouTube's cookies are used to track activity for future marketing. In this case, users could easily provide consent and accept the use of cookies (with a single click). However, it was harder to refuse them (several steps/clicks).
CAUSE/REMEDY: Consent for cookies should be the same level of effort as refusal. Given the large number of users on the YouTube platform and the company's subsequent profit, this was a hefty but proportionate fine.
4. Facebook — €60 million ($68 million)
WHAT: Facebook failed to obtain proper cookie consent Similar to Google (both above and below), accepting cookies was easy. It was unclear how one could refuse or opt-out, due to the number of steps as well as some confusing language.
CAUSE/REMEDY: Consent for cookies must be the same level of effort as refusal. Additionally, language must be clear, concise, and straightforward.
5. Google LLC — €60 million ($68 million)
WHAT: Google has multiple business entities, and each is subject to fines. In this case, Google LLC controls the search website (rather than the video-sharing platform, YouTube, referenced above). Regardless, this entity was fined for the same reason.
CAUSE/REMEDY: Consent and refusal for cookies should be equally simple.
6. Google — €50 million ($56.6 million)
WHAT: Yes, Google again... In the entity's privacy notice, the way in which consent was requested for personalized advertising and other types of data processing was vague and incomplete, not allowing users sufficient control over how and when their data was processed.
CAUSE/REMEDY: The privacy notice and the way in which consent is requested must be complete and easy to understand. If the data will be used for multiple purposes, the context and reason(s) for each must be disclosed with separate options to consent or refuse to the use of the data in each context, allowing the appropriate level of control and granularity.
7. H&M — €35 million ($41 million)
WHAT: H&M was fined for internal policies involving their employees rather than their customers. (This one brings up an interesting aspect often overlooked: GDPR protects the use of an employee's data in the same way as a user's.) As part of normal processes, after an employee took time off for vacation and/or sick-leave, H&M required "return-to-work" meetings —and they were recorded. Recordings of several hundred employees were retained with no safeguards/security protocols restricting or auditing access to them. The recordings were found to be accessible to over 50 managers. Senior staff were reported to use the detailed information about the employees' personal lives obtained in the recordings to evaluate performance and make employment decisions.
CAUSE/REMEDY: GDPR specifies a principle of least privilege/data minimization, particularly around sensitive data related to an employee's health and beliefs with no specific purpose or consent. The employees should not have been recorded without their consent —and implied consent or consent as a condition of employment are violations of their rights as well. Even with such consent, strict security controls should have been in place to prevent access to these recordings, the content of which should never have been used for employment decisions.
8. TIM — €27.8 million ($31.5 million)
WHAT: Telecom Italia (an Italian telecommunications operator) had a series of violations over several years directly related to aggressive marketing. Millions of individuals received promotional calls and unsolicited communications, some of whom were on non-contact and/or exclusion lists.
CAUSE/REMEDY: TIM should have provided a way in which consent was requested based on each proposed use of their data, including the context and reason(s) for each, to allow the user the appropriate level of control and granularity.
9. British Airways — €22 million ($26 million)
WHAT: British Airways had a data breach affecting 400,000 customers, including log-in details, payment card information, names, and addresses. The hack was entirely preventable with security measures, but even basic multi-factor authentication was not implemented.
CAUSE/REMEDY: This hack was completely preventable. British Airways should have implemented security measures and data privacy policies and procedures.
10. Marriott — €20.4 million ($23.8 million)
WHAT: Starwood Group's reservation system was hacked in 2014; Marriott acquired the company in 2016. The hack was not discovered until September 2018. Over the four-year period, 383 million guest records —30 million of which were EU residents —were exposed, including guests' names, addresses, passport numbers, and payment card information.
CAUSE/REMEDY: Marriott should have conducted appropriate levels of due diligence before AND after the acquisition, taking additional measures to safeguard the data.
11. Wind — €17 million ($20 million)
WHAT: Wind (a telecoms company) was fined due to unlawful direct marketing activities after authorities received complaints of Italians being spammed with ads without their consent. The users were also provided with incorrect contact details, leaving them unable to unsubscribe. The company's privacy policy was vague, incomplete, and out of date. It was also found that Wind's mobile apps forced users to agree to direct marketing and location tracking, and its business partners had undertaken illegal data-collection activities.
CAUSE/REMEDY: Wind should have provided a way in which consent was requested based on each proposed use of data, including the context and reason(s) for each (establishing a lawful basis for direct marketing), to allow the user the appropriate level of control and granularity.
12. Vodafone Italia — €12.3 million ($14.5 million)
WHAT: Vodafone's data processing had multiple issues including failing to properly secure customer data, sharing it with third-party call centers, and processing without a legal basis. This was found after complaints were lodged about the company's telemarketing campaigns. While the marketing campaign was the trigger, data management and security were the more fundamental issues.
CAUSE/REMEDY: Vodafone should have had regular audits of the data, documentation of all relationships with third parties and processing, and disclosed all of this information to users for consent.
13. Notebooksbilliger.de — €10.4 million ($12.5 million)
WHAT: The German electronics retailer used CCTV cameras to monitor its employees and customers for two years, keeping recordings for up to 60 days. While the company cited theft prevention as the legal basis, this monitoring was an intrusion on its employees' and customers' privacy.
CAUSE/REMEDY: While CCTV isn't prohibited under GDPR, you must ensure it is a legitimate and proportionate response to a specific problem. NBB's use was not, and was also not limited to a specific incident, person, or period of time.
14. Austrian Post — €9 million ($10.23 million)
WHAT: The Austrian mail carrier failed to facilitate data subject rights requests properly. If/when a data subject wanted to access, delete, or rectify personal data, while the company provided several ways to make a request, they did not accept emailed requests.
CAUSE/REMEDY: The Austrian DPA concluded that data subjects should have been allowed to submit requests in any medium that they preferred. This may seem unfair but excluding any particular communication method is not an acceptable way to facilitate rights.
15. Eni — €8.5 million ($10 million)
WHAT: The Italian oil and gas company made marketing phone calls with no legal basis.
CAUSE/REMEDY: While telemarketing is regulated through several directives, GDPR fines can also be levied as it relates to the processing of a user's personal data. Eni should have requested proper consent.
16. Vodafone Spain — €8.15 million ($9.72 million)
WHAT: Similar to the previous entry for Vodafone Italia, Vodafone Spain's total is made up of four fines covering telecommunications and cookie violations. There were 191 separate complaints regarding Vodafone's marketing activities, as they had not taken sufficient organizational measures to ensure users' data was processed lawfully. Additionally, they had outsourced marketing to a third-party.
CAUSE/REMEDY: Vodafone Spain should have performed regular audits of the data, conducted ongoing validation that the processing was lawful, documented all relationships with third parties, maintained specific data processing agreements, and ensured that there was a valid legal reason for the outsourcing of any processing activity to a third party. All should have been disclosed to the user for prior consent. In both Vodafone cases, the complex series of legal violations all appear to have one thing in common: a lack of organization and control over personal data and its uses.
17. Google — €7 million ($8.3 million)
WHAT: The Swedish Data Protection Authority (SDPA) fined Google for neglecting to remove a pair of search results listings under the "right to be forgotten" rules, also known as the right to erasure (Article 17).
CAUSE/REMEDY: Google should have fulfilled the rights of the data subjects, primarily the right to be forgotten. GDPR requires that a process is in place to respond to requests for erasure without undue delay and within one month of receipt.
18. Caixabank — €6 million ($7.2 million)
WHAT: This fine is the combination of two violations and is the largest ever issued by the Spanish DPA. A fine of €4 million was related to establishing a legal basis for using consumers' personal data (Article 6). Caixabank relied on the generic term of "legitimate interests," but failed to conduct and document a "legitimate interests assessment." An additional €2 million was incurred for violating transparency requirements (Articles 13 and 14.) The company's privacy policy was vague and inconsistent and did not meet the opt-in standards.
CAUSE/REMEDY: Caixabank could have avoided these penalties by documenting the context and reason(s) for their claim of legal basis and allowing the user the appropriate level of granularity in the privacy statement to make an informed decision. You must use clear language and be consistent across websites and platforms.
19. BBVA (bank) — €5 million ($6 million)
WHAT: This fine against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) dates from December 11, 2020, and is the second largest imposed by the Spanish DPA. Not coincidentally, it shares similarities with the Caixabank violations above, which was issued the following month. BBVA was fined €3 million for sending SMS messages without obtaining consumers’ consent. The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and used personal data.
CAUSE/REMEDY: BBVA could have avoided these penalties by gaining consent for direct marketing messages and ensuring that their privacy policy was clear and complete in describing the way(s) in which the users' data was collected and how it would be used (Articles 13 and 14).
20. Fastweb — €4.5 million ($5.5 million)
WHAT: The Italian telecoms company was fined in 2021 for engaging in unsolicited telephone marketing without consent. Specifically, the company was also using "fraudulent" telephone numbers, i.e., not registered with Italy's Register of Communication Operators. (Italy requires the disclosure and registration of all telemarketing entities in order to ensure transparency to the public of ownership and vested interests.) While the telemarketing rules are set out in Italy's implementation of the ePrivacy Directive, this is still a violation of GDPR because of the failure to obtain the users' consent.
CAUSE/REMEDY: For GDPR, Fastweb should have ensured that the privacy policy was clear and complete in describing the way(s) in which the users' data was collected and how it would be used (Articles 13 and 14) in order to obtain valid consent. (This is a good example of the interplay between laws and regulations of which companies must be aware. In this case, the ePrivacy Directive requires you to obtain consent for certain activities, but the GDPR sets the standard of consent —and the standard is very high.)
21. Eni Gas e Luce — €3 million ($3.6 million)
WHAT: The Italian oil and gas company was fined twice, but first in December 2019. It was a complicated case, but the root problem was the failure to obey GDPR's principle of accuracy.
CAUSE/REMEDY: Data protection is about more than just privacy —it also covers issues like records management. Eni should have ensured its customer records were kept accurate and up to date.
22. Capio St. Göran AB — €2.9 million ($3.4 million)
WHAT: The Swedish healthcare provider was fined following an audit of one of its hospitals. The audit found that the company had failed to carry out appropriate risk assessments and implement effective access controls. As a result, too many employees had access to sensitive personal data.
CAUSE/REMEDY: The company should have conducted a data protection impact assessment (DPIA), as is mandatory for controllers undertaking certain risky activities or handling large-scale sensitive data (Article 35). An assessment should have been conducted to determine the appropriate level of access to medical records and personal data necessary and to whom.
23. Iren Mercato — €2.85 million ($3.4 million)
WHAT: The Italian energy company was fined for carrying out a telephone marketing campaign without obtaining proper consent. The phone calls were conducted by a third-party marketing company acting as a data processor.
CAUSE/REMEDY: The company should have performed regular audits of the data, validated that the processing was lawful on an ongoing basis, documented all relationships with third parties, maintained specific data processing agreements, and ensured that there was a valid legal reason for the outsourcing of any processing activity to a third party. All should have been disclosed to the user for prior consent. —Even when using third-party services, you could still be directly liable under GDPR if you fail to establish a valid legal basis and obtain consent.
24. Foodinho — €2.6 million ($3 million)
WHAT: The Italian grocery delivery service was fined for failing to obey rules on "automated processing" (Article 22), through which they were using an algorithm to determine wages and workflow for employees. Tangentially, it was also violating the principle of “lawfulness, fairness, and transparency” (Article 5) by failing to provide employees with adequate information.
CAUSE/REMEDY: This is the first fine in the list in a niche area of compliance: "solely automated processing with legal or similarly significant effects" (Articles 22 and 47). In short, if decisions are being made purely by AI, yet could impact a person's finances, employment, or access to services, the decisions must be reviewed by a human.
25. National Revenue Agency (Bulgaria) — €2.6 million ($3 million)
WHAT: The agency suffered a data breach affecting 5 million people. The compromised data included people’s names, contact details, and tax information. The Bulgarian DPA found that the agency failed to take effective technical and organizational measures to protect the personal data under its control.
CAUSE/REMEDY: The agency should have performed a thorough risk assessment (Article 32) of its processing operations and implemented security measures and data privacy policies and procedures to safeguard personal data.
Compiled from data originally published by Tessian.
Republished with permission from eruditeMETA, ©2022. All rights reserved.
Comentários