In May 2018, the EU General Data Protection Regulation (GDPR) came into effect. This landmark set of laws has changed the future of data privacy for the better. However, for many companies, GDPR has proven to be a struggle. Approximately 30% of EU companies are not GDPR compliant more than a year after the regulation became law.
So far, over 200,000 reports of GDPR non-compliance have been filed, and that number is only going to increase. Authorities have shown that they are extremely serious about upholding GDPR, and some of the biggest companies have faced massive fines for their data privacy transgressions. Here is our list of the five biggest GDPR fines to date.
Types of GDPR fines
Before we dive into the transgressions of some of the largest companies in the world, it’s important to note that the GDPR has two different levels of fines:
Level 1 – This level specifically applies to data breaches and/or not implementing a Data Protection Impact Assessment (DPIA). The maximum fine is set at two percent of a company’s worldwide revenue or 10 million euros, whichever is higher. In order to avoid this fine, organizations are expected to have high security levels, demonstrate cooperation with authorities, perform a DPIA, and potentially employ a Data Protection Officer.
Level 2 – This level covers consent to process personal data, including consent for special categories. It also covers compliance with the eight data subject rights consumers have under GDPR. The maximum for this fine is set at four percent of a company’s worldwide revenue or 20 million euros, whichever is higher.
While we have yet to see a fine which goes to the absolute maximum of the fine, regulators are beginning to issue larger and larger fines for non-compliance.
5. Deutsche Wohnen SE – €14.5 million
In October of this year, the Berlin Commissioner for Data Protection and Freedom of Information (Berlin DPA) issued the largest fine in Germany to Deutsche Wohnen SE. Deutsche Wohnen is a real estate company, and it allegedly had an archiving system for former tenants that did not allow non-necessary data to be erased.
This was exacerbated by the fact that Deutsche Wohnen had already faced compliance issues in 2017. Although the company did take some action to become more compliant, they completely neglected to implement a GDPR compliant data storage system.
According to the Berlin DPA, Deutsche Wohnen breached the GDPR in the following way: they had no legal ground to store data longer than necessary, which violates Article 25 and Article 5 of GDPR. This data was also quite sensitive. When applying to rent an apartment in Germany you have to provide things like payslips, and tax and social security information. All of this sensitive data was being stored by Deutsche Wohnen.
Deutsche Wohnen has said that it plans to fight the fine in court. Under German law, there are statutory data retention laws which require companies to store information in a way that is audit-proof (i.e. they cannot be changed or deleted). This obviously conflicts with GDPR, so it will be interesting to see how the German authorities manage to juggle both laws.
4. Austrian Post – €18 million
Also in October of this year, the Austrian Data Protection Authority (Austrian DPA) discovered the the Austrian Post (Österreichische Post AG) was selling customer information. The Austrian Post is the national postal service for the country, and it was revealed at the beginning of this year that they were collecting and selling data related to consumers’ political affinities.
The Austrian Post would use information like ages and addresses to calculate who consumers were likely to vote for. That information was then sold to marketing companies or directly to political parties themselves. Approximately three million data records were sold by the postal service.
The Austrian Post has said that it is going to appeal the decision made by the Austrian DPA. There also appear to be other data protection issues which are not covered the GDPR that the Austrian Post has violated. If the fine is upheld, it will be the largest in Austria to date.
3. Google – €50 million
This historic fine was the first large fine in GDPR history, and let major companies know that authorities were dead serious when it came to data protection. Two privacy rights groups filed complaints against Google literally the day GDPR came into effect. The groups claimed that Google did not have a legal right to process user data for ad personalization. Although Google has European headquarters in Ireland, it was decided that the case would be handled by the French regulator CNIL.
Google was determined to have failed to meet a number of requirements under GDPR. CNIL found that Google’s statements on consumer data processing were far too hard to find and that the language was too obscure. Additionally, CNIL found that Google was consent bundling, which is illegal under GDPR, and was not asking for consent to process data.
Despite the initial size of the fine, it is relatively small when you consider Google’s annual turnover. At the time, it was the largest GDPR fine. Google has said that they are making the necessary changes and are committed to GDPR compliance.
2. Marriott International Inc. – £99,200,396
The United Kingdom’s Information Commissioner’s Office (ICO) has stated that it plans to fine Marriott nearly one hundred million pounds for GDPR violations. The international hotel chain experienced a hack in late 2018 that exposed the sensitive personal data of over 300 million hotel guests. Credit card details, passport numbers, and dates of birth were among the data that was stolen.
The ICO has said that Marriott failed to do its due diligence when it comes to cybersecurity, and that they should have done more to make sure that their systems were secure. Additionally, the hotel chain failed to promptly notify its customers that their data had been compromised. The data breach was discovered in September but not made public until November.
Marriott has stated that it plans to appeal the fine, although the ICO has yet to make the £99.2 million pound fine official. The ICO has stated that Marriott has cooperated with them during the investigation and have made the necessary changes to fix the issue that caused the initial data breach. It is a nice change to see companies being held responsible for data breaches that occur on their systems.
1. British Airways – £183.39 million
While this fine has also not officially been enforced yet, it certainly shows that regulators are serious when it comes to GDPR violations. The UK ICO announced its plans to fine British Airways and its parent company International Airlines Group (IAG) close to £190 million just days before the Marriott fine.
The international airline suffered from a data breach in September 2018, which led to the personal data of 500,000 customers being exposed. Customers were diverted from the British Airways website to a fraudulent website where their details were harvested. Personal information like login details, payment information, names, and addresses were compromised due to poor security measures on the airline’s website. British Airways notified the ICO in September 2018, but the breach is believed to have started in June 2018.
Though the fine has yet to be enforced, it sounds like British Airways plans to appeal or at least get the fine reduced. Given that IAG is one of the world’s largest airline groups, even if the fine is £183.39 million they won’t be heavily affected (the group’s global revenue was $16.5 billion last year).
It seems that regulators are taking GDPR violations very seriously, and the value of the fines are finally beginning to reflect that. Of course, there are still cases where the fines are laughably small. Facebook was only fined a paltry £500,000 for the Cambridge Analytica scandal. However, it is important to remember that this was the maximum fine available to regulators at the time. GDPR opens up the maximum fine to a number that will actually hurt companies that fail to comply, and it will be interesting to see if regulators start pursuing the maximum fine available.
It will also be interesting to see if other countries begin enacting laws similar to GDPR. In January 2020, the California Consumer Privacy Act (CCPA) will come into effect and it will be intriguing to watch how it unfolds. While the CCPA is modeled on GDPR, there are of course some differences when it comes to which businesses will be impacted.
The fines listed above have shown us that GDPR is here to stay, and that the laws should not be ignored. Data privacy is going to continue to be a hot topic, and more laws are certainly going to come into effect to reflect that. Companies need to take a proactive approach, or else risk a massive fine.