Over 160,000 data breach notifications have been reported across the 28 European Union Member States plus Norway, Iceland and Liechtenstein since the GDPR came into force on 25 May 2018
However, the total amount of issued GDPR fines so far does not really follow those numbers. Despite the 160.000+ violations reported to the data protection authorities, GDPR fines are a little bit over €175 million, which is not a staggering number.
According to DLA Piper’s latest GDPR Data Breach Survey, data protection regulators have imposed EUR114 million in fines under the GDPR regime for a wide range of GDPR infringements, not just for data breaches. France, Germany and Austria top the rankings for the total value of GDPR fines imposed with just over EUR51 million, EUR24.5 million and EUR18 million respectively. The Netherlands, Germany and the UK topped the table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 notifications each.
Although, if the beginning of the year is any indicator, the citizens of the EU can sleep soundly. There is an indication that other authorities will start being more proactive this year. Just like the Spanish Data Protection Authority (AEPD) and Italian Garante who both showed a lot of activities recently even with the Corona pandemic in the background.
Two levels of GDPR fines
• the lower level is up to €10 million, or 2% of the worldwide annual revenue from the previous year, whichever is higher
• the upper level is twice that size or €20 million and 4% of the worldwide annual revenue.
Honorable mentions- BA and Marriott
However, the ICO issued only a notice of its intention to fine Marriott International and intention to fine British Airways under GDPR for a data breach.
Remember, the first GDPR fine issued by the ICO was actually to the Doorstep Dispensaree pharmacy.
So, since the fines are not yet final, we will not include them on our list, but we still think they are worth mentioning:
In July 2019, the ICO announced its intention to issue a €204,6 million (183.39 million pounds) fine to the British Airways for violation of Article 31 of the GDPR. The incident occurred in September 2018, when the British Airways website diverted users’ traffic to a hacker website. This resulted in hackers stealing the personal data of more than 500.000 customers.
The company had inadequate security mechanisms to prevent such cyber-attacks from happening. The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.”
Also in July of 2019, ICO issued the statement of their intent to fine Marriott International for infringements of the GDPR. ICO explained the fine was related to the cyber attack, in which personal data of over 339 million guest records, were exposed. Out of those 339 million individuals, 31 million were residents of the EEA.
Marriott international exposed itself to the cyber-attack after the acquisition of the Starwood hotels group. The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures.
5 biggest GDPR fines in 2020
On 21 January 2019, the French National Commission on Informatics and Liberty or CNIL, fined Google with a €50 million fine. This is the biggest GDPR fine to this date was issued for violation of:
• Information to be provided where personal data are collected from the data subject – Article 13,
• Information to be provided where personal data have not been obtained from the data subject – Article 14,
• Lawfulness of processing – Article 6,
• and Principles relating to the processing of personal data – Article 5
The fine was therefore issued on the account of lack of transparency on how the data were harvested from data subjects and used for ad targeting. Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed.
January 15, 2020, was a critical day for Italian telecommunications operator TIM. The Italian DPA Garante issued €27,8 million GDPR fine for quite an extensive list of violations. The scope of their illegal activities is hard to ignore. They have contacted non-customers multiple times (certain numbers over 150 times per month) without proper consent or other legal bases.
Few million individuals were affected by their aggressive marketing strategy. The activities involved: Improper management of consent lists ❌Excessive data retention ❌Data Breaches ❌Lack of proper consent ❌Violation of GDPR rights. The personal information included name, surname or company name; tax code or VAT number; telephone line; address; contact details.
We talked about this case before in one of our blogs, so you can read the entire case here. In short, the Austrian Data Protection Authority, issued an €18 million GDPR fine (+ cost of the investigation in the amount of 1.8 million) to the Austrian national postal service on 23 October 2019. It is to date the biggest GDPR fine issued in Austria.
Austrian Post had created profiles of more than 3 million Austrian citizens, which accounts for over one-third of Austria’s total population. Personal preferences, political interests, addresses and, other information were collected and then sold to the Third Parties.
4. Wind Tre S.p.A. – €16,700,000
Just as we predicted in our blog, the Italian DPA- Garante has increased their activities in 2020, and issued a €16,700,000 GDPR fine to telecommunication company – Wind Tre S.p.A.
The fine was issued due to unlawful processing of personal data for marketing purposes when more than a hundred clients filed a complaint over unsolicited marketing emails that included calls and SMS, as well as listing their phone numbers on public phonebooks against their wish.
What really pushed Garante to issue such a huge fine was the fact that clients weren’t able to withdraw their consent since the company’s Data Protection Policy did not provide all the necessary information. GDPR Articles violated in the process were:
• Principles relating to processing of personal data – Art. 5
• Lawfulness of processing Art. 6,
• Transparent information, communication and modalities for the exercise of the rights of the data subject Art. 12,
• Responsibility of the controller Art. 24
• Data protection by design and by default Art. 25
The highest German GDPR fine to date has been issued to a real estate company Deutsche Wohnen, on October 30, 2019. The fine related to the retention period of personal data was issued by the Berlin Commissioner for Data Protection and Freedom of Information. The company failed to provide GDPR-compliant data retention and data removal procedure for the personal data of the tenants.
The official statement clarified: “[…]the company used an archive system for the storage of personal data of tenants that did not provide the possibility of removing data that was no longer required.”
5 biggest GDPR fines -conclusion
This is the up to date and current list of biggest GDPR fines so far, but we have a feeling that in 2020, this list is going to change a lot. As the DLA Piper report is stating:
“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime.”
So we believe there will be a lot more GDPR related activities in 2020.
Courtesy – DLA Piper