As already mentioned here several times, the General Data Protection Regulation (GDPR) is one of the most important and at times also most discussed data protection laws in the European region in recent decades. Even before the GDPR was adopted, until its actual entry into force and even far beyond, advertising groups, large media houses, gig companies and many other interest groups warned of possible negative consequences for the economies of EU countries as well as the presumably extremely high burdens for small and medium-sized enterprises (SMEs) or civil associations.
The GDPR recently celebrated its fifth birthday and, in retrospect, many of the concerns at the time may now be considered largely unfounded or can be interpreted as a simple attempt by IT corporations to continue collecting and selling users’ data for profit without being helkd accountable.
On the other hand, the GDPR has by far not achieved all the goals for which it was created. Especially at the beginning and until recently, the data protection authorities of the European member states tended to rely on warnings and non-binding calls to the respective corporations that applied practices contrary to the GDPR.
This may make sense for the introduction of such laws, and direct communication or warnings should generally be the first means, but the GDPR can and should be a sharp sword, especially against multi-offenders. A data protection law can only have its full effect and actually protect the informational self-determination of EU citizens, if the disadvantages caused by a deliberate misuse of data clearly exceed the (usually economic) advantages.
This goal is actually granted to fines in the GDPR. They should be “effective, proportionate and dissuasive”. The maximum amount of such a fine can therefore be up to 10 million euros, or even 2% of the annual turnover – not profit – generated worldwide (depending on which amount is higher), depending on the duration, severity, insight and intent. [1, 2, 3, 4]
The highest GDPR fines
In the past three years, the data protection authorities of the European member states have insisted more and more strictly on compliance with the GDPR and, in the case of violations by corporate groups, have set the possible penalties under the catalogue of fines higher and higher, especially when data protection violations by a corporate group have become more and more frequent.
Both France and the UK began imposing sensitive fines in 2019. After hackers hijacked the British Airways website in July 2018 and obtained sensitive data from over 400,000 customers, the UK’s data protection authority initially imposed a fine of almost £200 million, which was revised down to £20 million in the course of negotiations and in light of the CoVid-19 pandemic that had broken out by then and its economic impact on airlines. Meanwhile, the French data protection authority imposed a fine of 50 million euros on Google due to non-transparent information practices and the large-scale disregard of the obligation to give consent. [5, 6]
In subsequent years, France imposed several sensitive fines of €60 million on Facebook, and €90 million and another €60 million each on Google, all for the use of dark patterns in cookie banners. [7]
Ireland has also imposed several large fines on Meta since 2021, totalling around €1.3 billion (September 2021: €225 million, September 2022: €405 million, November 2022: €265 million, January 2023: 390 million euros) for lack of transparency towards users and repeated disregard of requests by the data protection authority, publication of private information of minors, inadequate reactions to data leaks as a result of hack attacks, and lack of transparency towards users when changing terms and conditions. [8, 9, 10, 11]
Until recently, the Luxembourg data protection authority imposed by far the highest single fine under the GDPR on Amazon in July 2021. The company’s advertising and data collection practices, which deliberately disregarded the provisions of the GDPR, earned the company a fine of 746 million euros. A few days ago, however, this penalty was trumped when the European data protection authority imposed a fine of 1.2 billion euros on the US company Meta for its involvement in state surveillance of EU citizens by US intelligence agencies. [12, 13]
However, German data protection authorities have also imposed severe penalties on a wide variety of companies in recent years. In January 2021, the data protection commissioner for Lower Saxony imposed a fine of 10.4 million euros on the electronics shop Notebooksbilliger, which had monitored its employees with video cameras for several years without having a legal basis for doing so and had stored the recordings significantly longer than permitted. [14]
Back in 2020, the Hamburg Commissioner for Data Protection and Freedom of Information (HamBfDI) imposed a fine on the textile retailer H&M, as they also illegally collected sensitive data of their nearly 180,000 employees. Due to a technical problem, the data was leaked to all of the company’s employees, which, in addition to exacerbating the violation, also led to its discovery. [15]
Conclusion
Particularly in data protection-savvy circles, on the fifth anniversary of the entry into force of the GDPR, some are expressing disappointment at the lack of severity in the face of enormous and repeated data protection violations. And indeed, many intentional and serious violations still go unpunished or are only reprimanded with a warning.
On the other hand, over time, European data protection authorities are taking increasingly firm and tough action against repeat offenders – above all the GAMAM companies – and are showing that the General Data Protection Regulation is not a toothless tiger, but can defend the right to informational self-determination with a sharp sword and, in the long term, also force it through the means of deterrence.
Sources
- Intersoft Consulting (2018): DSGVO Bußgelder / Strafen. URL: https://dsgvo-gesetz.de/themen/bussgelder-strafen/
- Intersoft Consulting (2018): Art. 58 DSGVO Befugnisse. URL: https://dsgvo-gesetz.de/art-58-dsgvo/
- Intersoft Consulting (2018): Art. 84 DSGVO Sanktionen. URL: https://dsgvo-gesetz.de/art-84-dsgvo/
- Intersoft Consulting (2018): Art. 83 DSGVO Allgemeine Bedingungen für die Verhängung von Geldbußen. URL: https://dsgvo-gesetz.de/art-83-dsgvo/
- Information Comissioner’s Office (2019): Intention to fine British Airways £183.39m under GDPR for data breach. URL: https://webarchive.nationalarchives.gov.uk/ukgwa/20211004183304/https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/
- noyb (2020): €50 million fine for Google confirmed by French Court. URL: https://noyb.eu/en/eu50-million-fine-google-confirmed-conseil-detat
- Data Privacy Manager (2022): CNIL fines Google and Facebook a total of €210 million over cookies. URL: https://dataprivacymanager.net/cnil-fines-google-and-facebook-a-total-of-e210-million-over-cookies/
- Data Privacy Manager (2023): DPC fines META €390 million for violation of the GDPR. URL: https://dataprivacymanager.net/dpc-fines-meta-e390-million-for-violation-of-the-gdpr/
- Data Privacy Manager (2022): Ireland: DPC imposes €265 million fine on Meta. URL: https://dataprivacymanager.net/ireland-dpc-imposes-e265-million-fine-on-meta/
- European Data Protection Board (2021): EDPB requests that Irish SA amends WhatsApp decision with clarifications on transparency and on the calculation of the amount of the fine due to multiple infringements. URL: https://edpb.europa.eu/news/news/2021/edpb-requests-irish-sa-amends-whatsapp-decision-clarifications-transparency-and_en
- Kashyap, K. (2022): Meta Fined €405 Million for Mishandling Teenagers’ Data on Instagram. URL: https://www.spiceworks.com/marketing/customer-data/news/meta-fined-405-million-for-mishandling-teenagers-data-on-instagram/
- Data Privacy Manager (2021): Luxembourg DPA issues €746 Million GDPR Fine to Amazon. URL: https://dataprivacymanager.net/luxembourg-dpa-issues-e746-million-gdpr-fine-to-amazon/
- noyb (2023): €1.2 billion GDPR fine for Meta over US mass surveillance. URL: https://edri.org/our-work/e1-2-billion-gdpr-fine-for-meta-over-us-mass-surveillance/
- Landesbeauftragte für den Datenschutz Niedersachsen (2021): LfD Niedersachsen verhängt Bußgeld über 10,4 Millionen Euro gegen notebooksbilliger.de. URL: https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/lfd-niedersachsen-verhangt-bussgeld-uber-10-4-millionen-euro-gegen-notebooksbilliger-de-196019.html
- Hamburgischer Beauftragte für Datenschutz und Informationsfreiheit (2020): Bußgeld wegen Datenschutzverstößen bei H&M. URL: https://web.archive.org/web/20230809132555/https://datenschutz-hamburg.de/pressemitteilungen/2020/10/2020-10-01-h-m-verfahren
Jan is co-founder of ViOffice. He is responsible for the technical implementation and maintenance of the software. His interests lie in particular in the areas of security, data protection and encryption.
In addition to his studies in economics, later in applied statistics and his subsequent doctorate, he has years of experience in software development, open source and server administration.