October 22, 2021

What do the heftiest GDPR fines tell us?

What do the heftiest GDPR fines tell us?

The GDPR came into effect in 2018. Although contrary to the panic before its enforcement, and fines weren’t issued left and right on day one, they’ve finally picked up speed in 2021.

The GDPR allows the European Union’s Data Protection Authorities to issue fines of up to €20 million or 4% of the organization's annual global turnover, whichever is higher. In 2019, there was a steady rise in the overall number of fines, then in 2020 a notable rise in the amounts impacting industry and commerce, media and telecommunications, and the public sector the most. This summer has been very eventful for Big Tech. In July, Amazon was hit with the heftiest GDPR fine issued to date, which amounts to €746 million. In September, Facebook-owned WhatsApp Ireland received a €225 million fine, making it the second biggest ruling against the Tech Giants.

The most fined countries so far are:

  1. Luxembourg - €746,071,000 in total with 11 fines, including of Amazon Europe's €746,000,000 fine.
  2. Ireland -€225,876,400 in total with 9 fines, including WhatsApp Ireland's €225,000,000 fine.
  3. Italy - €86,138,770 in total with 92 fines, including TIM's €27,800,000 fine.
  4. France - €57,314,300 in total with 18 fines, including Google's €50,000,000 fine.
  5. Germany - €49,258,633 in total with 32 fines, including H&M Online Shop's €35,258,708 fine.
  6. United Kingdom - €44,250,000 in total with 5 fines, including British Airways' €22,046,000 fine.
  7. Spain - €32,697,610 in total with 288 fines, including Vodafone España's €8,150,000 fine.

Vodafone España's record-breaking fine for Spanish GDPR violations is the combination of four separate penalties (50 fines) for aggressive telemarketing tactics and repeated data protection failures.

>> Having technical and logistical means to verify the legality of the processed data, and being able to identify whether customers have opted-out of marketing communications are crucial practices for GDPR compliance.

The 3 most fined types of violation so far are:

  1. Non-compliance with general data processing principles - €782,370,864 in total with 168 fines
  2. Insufficient fulfilment of information obligations - €234,940,895 in total with 58 fines
  3. Insufficient legal basis for data processing - €176,435,312 in total with 284 fines

As a result of a complaint filed by 10,000 people against Amazon in May 2018, the biggest fine ever for the violation of the GDPR was issued in the amount of €746 million for the way it uses customer data for targeted advertising purposes - "Non-compliance with general data processing principles".

>> Companies don’t need to have suffered a data breach to break GDPR rules. Simply not having an explicit "opt-in" function for "relevant advertising" is enough for hefty fines.

WhatsApp was fined €225 million in violation of "Insufficient fulfilment of information obligations" after an investigation that went on for nearly 3 years. This is the Irish regulator's largest GDPR fine to date, and the second-largest in EU history.

>> The investigation was prompted by privacy activist Max Schrems of NOYB, who filed complaints in late 2018 regarding WhatsApps’s alleged “forced consent” policies, claiming that it essentially pressured users into accepting its privacy terms by denying them service otherwise. On top of the serious fine, the Irish DPC also gave WhatsApp 90 days to make a number of changes to improve the transparency of its communications to both platform users and non-users (namely contacts of WhatsApp users) that might be impacted. Here, "transparency" means being clear, open and honest with people from the get-go about who you are and how you process data. Also, to Inform individuals in easily accessible and understandable language is crucial.

The most known case of GDPR violation in the category of "Insufficient legal basis for data processing" in Art.6 GDPR is Google over the lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

>> Having a user-friendly privacy policy where all essential information regarding processing operations is centralized, as well as implementing an explicit "opt-in" function for advertising are necessary for GDPR compliance.

You can learn more about how the TRUENDO Consent Management Platform can help your organization stay compliant with the ever-changing regulations here.

DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions. The information presented on this website may not reflect the most current legal developments. An attorney should be contacted for advice on specific legal issues. The implementation of a data protection law compliant Consent Management Platform (CMP) is ultimately at the discretion of the respective data protection officer (DPO) or legal department.