The Biggest GDPR Fines to Date
If the best way to get a company’s attention is to hit them in the pocketbook, then European regulators have the full attention of many companies including data giants like Google and Facebook. Here are some of the biggest GDPR fines to date:
Google L.L.C (Sweden and France)
Back in early 2019, the CNIL, the French data protection watchdog, issued its first GDPR fine of $57 million (€50 million) claiming that Google has failed to comply with the EU’s General Data Protection Regulation (GDPR) when new Android users set up a new phone and follow Android’s onboarding process. In 2020, the Swedish DPA fined Google approximately Euros 7 Million by for not complying with its obligations regarding the “right to be forgotten”. The “right to be forgotten” stems from a landmark ruling nearly six years ago, where the EU court forced the U.S. tech giant Google to remove European links to websites that contain out of date or false information that could unfairly harm a person’s reputation Google was ordered to delist certain search results, to stop informing websites when such results occur and to otherwise adapt its data subject rights process. The French Council of State, Conseil d’État, overruled a prior decision to fine Google Euros100,000 in relation to a 2016 right-to-be-forgotten case. The court decided French law does not allow the data protection authority, the CNIL, to order search results to be removed globally, noting that the CNIL can only call for European search results to be removed.
British Airways (UK)
In July 2019, the U.K.’s Information Commissioner Officer fined British Airways and its parent International Airlines Group (IAG) £183.39 million ($230 million) in connection with a data breach that took place in 2018 that affected around 500,000 customers browsing and booking tickets online. In an investigation, the ICO said that it found “that a variety of information was compromised by poor security arrangements including log in, payment card, and travel booking details as well name and address information.
Marriott International Inc. (UK)
In July 2019, the Information Commissioner’s Office intends to fine Marriott £99,200,396 for infringements of the GDPR in relation to a breach of the Starwood hotel’s guest reservation database (339 million guests) with unauthorized access dating back to 2014. The proposed fine reflects the new ability under GDPR to fine companies up to 4% of global turnover. Mariott’s revenue last year was US$20.758 billion, the fine under the GDPR could have been significantly higher.
TIM (Italy)
In January 2020, Italian Data Protection Authority (Garante) issued a €27,8 million fine to TIM (telecommunications operator) for violation of the GDPR, with emphasis on unlawful data processing, non-compliant aggressive marketing strategy, invalid collection of consents and excessive data retention period
Austrian Post (Austria)
The Austrian Data Protection Authority issued an 18 million euro fine against Österreichische Post AG for alleged violations of the EU General Data Protection Regulation that the ÖPAG processed the political affiliation of data subjects and further processed data on package frequency and the frequency of relocations for the purpose of direct marketing.
1&1 Telecom GmbH (Germany)
1&1 Telecom was fined by the German Federal Commissioner for Data Protection and Freedom of Information for not taking appropriate action to prevent unauthorized parties from accessing customer data in their call center since a caller calling their customer service department and giving them the name and date of birth provided access to customer information.
Lessons learnt
The GDPR fines to date should serve as notice to other companies both under investigation now, and that may be investigated in the future that the possibility of fines under the GDPR is very real. Apart from the business disruption and the financial implications, a GDPR fine can take your organization’s brand image into a downward spiral, and regaining customers’ confidence will be a costly and timely affair. It is therefore worthwhile to consider whether your organization meets the legal requirements of the GDPR and whether it can withstand a regulator’s meticulous eye. Please reach out to us to discuss your organization’s need to comply with the GDPR or any details of enforcement action under the GDPR.