As of May 2018, the European Union General Data Protection Regulation (GDPR) came into effect. This landmark set of laws has changed the future of data privacy for the better. However, for many companies, GDPR has proven to be a struggle. Approximately 30% of EU companies are not GDPR compliant more than a year after the regulation became law.
So far, over 200,000 reports of GDPR non-compliance have been filed, and that number is only going to increase. Authorities have shown that they are extremely serious about upholding GDPR, and some of the biggest companies have faced massive fines for their data privacy transgressions.
Types of GDPR fines
Before we dive into the transgressions of some of the largest companies in the world, it’s important to note that the GDPR has two different levels of fines:
Level 1 – This level specifically applies to data breaches and/or not implementing a Data Protection Impact Assessment (DPIA). The maximum fine is set at two percent of a company’s worldwide revenue or 10 million euros, whichever is higher. In order to avoid this fine, organizations are expected to have high security levels, demonstrate cooperation with authorities, perform a DPIA, and potentially employ a Data Protection Officer.
Level 2 – This level covers consent to process personal data, including consent for special categories. It also covers compliance with the eight data subject rights consumers have under GDPR. The maximum for this fine is set at four percent of a company’s worldwide revenue or 20 million euros, whichever is higher.
While we have yet to see a fine which goes to the absolute maximum level, regulators are beginning to issue larger and larger fines for non-compliance, and they are starting to become more commonplace. We do hope that violations by major companies will start to incur bigger fines. While some of these numbers seem substantial, they are often less than even 1% of a company’s annual turnover.
Without further ado, here are the largest GDPR fines to date.
€900,000 – UWV
Dutch public insurance company UWV was discovered to not be implementing adequate security procedures when processing health data in October 2018. UWV has a public portal where employers can submit employee absences due to illness, pregnancy, or parental leave. Although the employers did not specify what medical situation employees missed work for, this still qualified as health data, which is highly protected under the GDPR.
Dutch regulators found UVW to be in violation of Article 32 of the GDPR, and determined that the company would need to implement multi-factor authentication for access to its portal. UWV was given a year (until October 2019) to implement a new system, after which they would be issued a penalty of €150,000 each month, for a maximum fine of €900,000.
However, as of November 2019, UVW was granted an extension to change their systems. The deadline was extended to March 1, 2020, though it has yet to be seen if UWV has made the necessary changes. It appears that they did implement a multi-factor authentication system, but it is taking time for all the companies that use the system to make the switch.
€2.6 million – The National Revenue Agency of Bulgaria
This fine requires a little bit of background. In July 2019, the National Revenue Agency (NRA) of Bulgaria suffered a massive data breach. The tax records of over 5 million citizens were leaked and included sensitive data such as personal identifiable numbers, addresses, and even income data. Bulgaria’s population currently stands at 7 million, meaning that almost every working adult in the country was affected.
Bulgaria’s data protection authority, the Commission for Personal Data Protection (CPDP), began an investigation shortly after the breach occurred and issued a BGN 5.1 million fine to the agency in August 2019 for failing to protect user data. The CPDP rightfully believed that had the NRA had sufficient measures in place, the breach would not have happened. So far, it appears that none of the stolen data has resurfaced, although Bulgarians are still worried.
The tax office has appealed the decision, and is pursuing a criminal investigation against the hackers. The NRA also fired two of its senior IT specialists, but has yet to publicly release an audit of its security systems.
€9.55 million – 1&1 Telecom GmbH
German authorities are not afraid to issue large GDPR fines. In December 2019, German telecoms provider 1&1 was fined €9.55 million by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) for having insufficient authorization procedures in place.
What 1&1 was doing to verify a customer’s identity by phone was pretty baffling. All someone needed was the name and date of birth of a customer and from there, could access extensive personal information regarding said customer. So if someone knew your full name and date of birth, they could then access additional information about you through 1&1. Scary, right?
According to the BfDI, this was in direct violation of Article 32 of the GDPR which involves the protection of customer data. In response to the fine, 1&1 said it would be appealing the decision, stating that the fine was disproportionate. The telecoms company said that their way of verifying a customer’s identity was normal and that there were not standards for higher security requirements. That being said, we have to give 1&1 some credit as they fully cooperated with the investigation and have taken immediate steps to improve their customer verification process.
€11.5 million – Eni Gas e Luce
In December 2019, Italian gas and electric company Eni Gas e Luce was issued two separate fines by the Italian Data Protection Authority (Garante) on the same day, which totalled €11.5 million. The company is relatively new, only starting in 2017, but it now has over eight million customers in Italy.
The first fine that Eni Gas e Luce received was €8.5 million for unlawful processing in connection with telemarketing and teleselling activities. The Garante had received numerous complaints from customers about the company. In particular, Eni Gas e Luce was continuing to make advertising calls without proper consent. In some cases, customers had explicitly stated that they no longer wanted to be contacted but still continued to receive calls.
It quickly became apparent that the company had no measures in place for consent management. It was also discovered that the company was retaining data far beyond the legal limit and was purchasing the personal data of potential customers without their prior consent.
The second fine, for €3 million, was issued for unsolicited contracts in the free market for the supply of energy and gas. The Garante found that 7,200 customers had been affected. Their old contracts with different suppliers had been terminated and new ones opened with Eni Gas e Luce without their knowledge or consent. In some cases, the complainants reported incorrect data in the contracts and that their signatures had been forged.
In addition to the two fines, the Garante ordered Eni Gas e Luce to adopt a number of corrective measures when it comes to how they process customer data.
€14.5 million – Deutsche Wohnen SE
In October 2019, the Berlin Commissioner for Data Protection and Freedom of Information (Berlin DPA) issued the largest fine in Germany to Deutsche Wohnen SE. Deutsche Wohnen is a real estate company, and it allegedly had an archiving system for former tenants that did not allow non-necessary data to be erased.
This was exacerbated by the fact that Deutsche Wohnen had already faced compliance issues in 2017. Although the company did take some action to become more compliant, they completely neglected to implement a GDPR compliant data storage system.
According to the Berlin DPA, Deutsche Wohnen breached the GDPR in the following way: they had no legal ground to store data longer than necessary, which violates Article 25 and Article 5 of GDPR. This data was also quite sensitive. When applying to rent an apartment in Germany, you have to provide things like payslips, credit scores, and tax and social security information. All of this sensitive data was being stored by Deutsche Wohnen.
Deutsche Wohnen has said that it plans to fight the fine in court. Under German law, there are statutory data retention laws which require companies to store information in a way that is audit-proof (i.e. they cannot be changed or deleted). This obviously conflicts with the GDPR, so it will be interesting to see how the German authorities manage to juggle both regulations.
€18 million – Österreichische Post AG
October 2019 was not a great month for GDPR violations. The Austrian Data Protection Authority (Austrian DPA) discovered that the Austrian Post (Österreichische Post AG) was selling customer information. The Austrian Post is the national postal service for the country, and it was revealed at the beginning of 2019 that they were collecting and selling data related to consumers’ political affinities.
The Austrian Post would use customer information, like ages and addresses, to determine who consumers were likely to vote for. That information was then sold to marketing companies or directly to political parties themselves. Approximately three million data records were sold by the postal service.
The Austrian Post has said that it is going to appeal the decision made by the Austrian DPA. There also appear to be other data protection issues which are not covered by the GDPR that the Austrian Post has violated. If the fine is upheld, it will be the largest in Austria to date.
€27.8 million – TIM
Italian telecommunications operator TIM was hit with a massive fine in January 2020 by the Garante. Over the course of two years, the Garante received hundreds of consumer complaints regarding TIM and their aggressive marketing tactics. An investigation was launched and it was confirmed that they were in violation of several GDPR regulations. In addition to the fine, the Garante imposed twenty corrective measures on TIM.
TIM’s call center was making millions of calls to non-customers without proper consent and no legal reason to do so. In fact, some phone numbers were contacted over 150 times per month by the company. The company was also found to not be managing their consent lists properly and was storing data relating to customers of other telecom operators beyond the legal limit imposed by GDPR.
And the violations don’t end there. TIM was found to have further violated the GDPR regulations regarding their handling (or lack thereof) of data breaches. The company failed to report breaches in the designated time frame, and took no action to reduce the risk of further breaches.
€50 million – Google
This historic fine was the first large fine in GDPR history, and let major companies know that the authorities were dead serious when it came to data protection. Two privacy rights groups filed complaints against Google literally the day GDPR came into effect in May 2018. Both groups claimed that Google did not have a legal right to process user data for ad personalization. Although Google has European headquarters in Ireland, it was decided that the case would be handled by the French regulator CNIL.
Google was determined to have failed to meet a number of requirements under the GDPR. CNIL found that Google’s statements on consumer data processing were far too hard to find and that the language was too obscure. Additionally, CNIL found that Google was consent bundling, which is illegal under the GDPR, and was not asking for consent to process data.
Despite the initial size of the fine, it is relatively small when you consider Google’s annual turnover. At the time it was issued, it was the largest GDPR fine. Google has said that they are making the necessary changes and are committed to GDPR compliance.
£99,200,396 – Marriott International Inc.
The United Kingdom’s Information Commissioner’s Office (ICO) has stated that it plans to fine Marriott nearly one hundred million pounds for GDPR violations. The international hotel chain experienced a hack in late 2018 that exposed the sensitive personal data of over 300 million hotel guests. Credit card details, passport numbers, and dates of birth were among the data that was stolen.
The ICO has said that Marriott failed to do its due diligence when it comes to cybersecurity, and that they should have taken more steps to make sure that their systems were secure. Additionally, the hotel chain failed to promptly notify its customers that their data had been compromised. The data breach was discovered in September but it was not publicly announced until November.
Marriott has stated that it plans to appeal the fine, although the ICO has yet to make the £99.2 million fine official. The ICO has stated that Marriott has cooperated with them during the investigation and have made the necessary changes to fix the issue that caused the initial data breach. It is a nice change to see companies being held responsible for data breaches that occur on their systems.
£183.39 million – British Airways
While this fine has also not officially been enforced yet, it certainly shows that British regulators are serious when it comes to GDPR violations. The UK ICO announced its plans to fine British Airways and its parent company International Airlines Group (IAG) close to £190 million just days before the Marriott fine.
The international airline suffered from a data breach in September 2018, which led to the personal data of 500,000 customers being exposed. Customers were diverted from the British Airways website to a fraudulent website where their details were harvested. Personal information like login details, payment information, names, and addresses were compromised due to poor security measures on the airline’s website. British Airways notified the ICO in September 2018, but the breach is believed to have started as far back as June 2018.
Though the fine has yet to be enforced, it sounds like British Airways plans to appeal or at least get the fine reduced. Given that IAG is one of the world’s largest airline groups, even if the fine is £183.39 million they won’t be heavily affected (the group’s global revenue was $16.5 billion last year).
2020 Update: As of January 2020, the proposed fines for British Airways and Marriott International are both at a standstill. The ICO has reached an agreement with both companies to extend the regulatory process until March 31, 2020. What will happen after that remains to be seen. The ICO has a limited legal budget, and if both companies should decide to fight the decision in a court of law, they have the higher ground when it comes to funds. We’ll be sure to keep you updated.
Up and Coming – H&M
International retail company H&M has come under the scrutiny of the data protection authorities in Germany for allegedly spying on its employees at a single customer service center location in Nuremberg. A 60GB hard drive was discovered containing sensitive employee information such as health issues and even details about their private lives. Among other things, employee diseases, family disputes and holiday memories were recorded and stored. Not only do the records demonstrate a massive surveillance activity on employees, but they were accessible to all company managers.
In response, H&M has apologized and stated that it intends to fully cooperate with the authorities and their investigation. The company also added that its managers had already taken urgent measures in response to the incident. In the coming weeks, the data protection authority will decide on a fine. According to GDPR law, the maximum fine is 4% of the company’s annual turnover, which is an estimated €22 billion for H&M. This could be a landmark case, and we will be sure to post updates as they are released.
It seems that regulators are taking GDPR violations very seriously, and the value of the fines are finally beginning to reflect that. Of course, there are still cases where the fines are laughably small. Facebook was only fined a paltry £500,000 for the Cambridge Analytica scandal. However, it is important to remember that this was the maximum fine available to regulators at the time. The GDPR opens up the maximum fine to a number that will actually hurt companies that fail to comply, and it will be interesting to see if regulators start pursuing the maximum fine available.
It will also be interesting to see if other countries begin enacting laws similar to the GDPR. In January 2020, the California Consumer Privacy Act (CCPA) came into effect and it will be intriguing to watch how it unfolds. While the CCPA is closely modeled on the GDPR, there are of course some differences when it comes to which businesses will be impacted. While we will have to wait and see if Californian privacy authorities will be as strict as their European counterparts, California is known for protecting its residents.
The fines listed above have shown us that GDPR is here to stay, and that the laws should not be ignored. Data privacy is going to continue to be a hot topic, and more laws are certainly going to come into effect to reflect that. Companies need to take a proactive approach, or else risk massive fines.
If you run your own business, it’s important that you understand how the GDPR can impact you. You only need to comply with GDPR if your company is based in the European Union, if you are targeting and offering goods or services to consumers in the EU, or if you are monitoring the behaviors of EU consumers. If your business does any of the above, you are legally required to be GDPR compliant. Regulators are not afraid to go after companies big and small, so it’s important that you understand how to be compliant.