GDPR Fines Swell in Volume & Value – How To Avoid Getting Stung!
As we approach the third anniversary of the European Union (EU) General Data Protection Regulation (GDPR) coming into effect (May 25th, 2018) we have all witnessed a range of impacts from both a personal and an organisational perspective. Opt-in requests, cookie notices and new business processes are only a few methods used to help protect personal data and organisational compliance. By definition, personal data is “any information relating to an identified or identifiable natural person” and applies to EU-established organisations and organisations who sell goods or service to or who monitors individuals in the EU (Article 3 & 4). Any organisations who processes the data of EU citizens must comply with GDPR regardless of their location. If it is possible for someone to piece together separate pieces of data to identify a person than it is personal data for instance, it wouldn’t be difficult to distinguish a female, data scientist and accountant in a domain conference database.
Data Protection Authorities (DPAs) have been enforcing the Directive by imposing fines and penalties to companies and individuals who have violated the regulation. By now, most people are familiar with the penalties in Article 83(4) relating to two classes of infringements:
- Greater of: €10 million or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding fiscal year relating to Articles 8 (child consent), 11 (identification), 25 (protection by design & default), 39 (Tasks of DPO), 42 (certification), 43 (certification bodies).
- Greater of: €20 million or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding fiscal year relating to processing, Articles 5 (principles), 6 (lawfulness), 7 (consent) and 9 (special categories).
For reference, undertaking is not just a single legal entity, it is ‘several natural persons or corporate entities’ (GDPR Fines/Penalties). Just ask Google™, where a Spanish citizen requested their information be removed and an inextricable link between Google Spain and Google Inc. was established resulting in a €100,000 fine (the ruling was overturned four year later) (BBC, 2019).
Who has Been Fined?
€100,000 is petty cash for Google™ but that’s only one fine and yes, they have others with so many zeros that you have to triple count just to be certain your eyes didn’t go wonky. Other organisations along with individuals have also felt the pain of not abiding by the regulation. Large enterprises such as banks, airlines, hotel chains, to smaller organisations including schools, homeowners’ associations, cafes, barbers to individuals including doctors, mayors and other private people.
Heck, even a “Royal President” was fined but unfortunately, that famous Nigerian Prince and his related scam emails proves to be elusive. No Princes have been fined or shut down ☹ (and yes, a DPA has this power). However, there are still lots of opportunities for GDPR to find a prince. The trends in GDPR fines reflect both an increase in the monthly volume and amount of fines as reflected in the two charts (applying a LOESS regression).
Disproportion of Fines by Country
Another interesting aspect is the amount of disparity between the different jurisdictions. Perhaps citizens in certain countries are more prone to report infringements, less likely to adhere to the regulation or have a DPA who is more enthusiastic but the variation between countries is clearly visible. Italy, France, UK, Spain and Sweden are miles ahead in the maximum, cumulative and average fines with Italy just over €70 million in cumulative fines since issuing their first fine in April 2019 and recently, issuing a €27.8 million to TIM, an Italian telecommunications company in January.
The gap in the cumulative amount of fines is significant. Sweden ranks fifth in terms of total fines issued at €12.3 million and the Netherlands, the sixth highest ranked drops to a cumulative total of €3.9 million (3.13 times the value and 2.4 times in volume).
Types of Violations
What’s interesting is the volume of fines by type. An insufficient legal basis for processing (primarily the second class of fines that includes Article 5 & 6) contains the largest volume of fines at 38% followed by insufficient measures to ensure information security at 21% and non-compliance with data processing principles at 16%.
Description of each label:
- Legal Basis: Insufficient legal basis for data processing
- Security: Insufficient technical and organisational measures to ensure information security
- Principles: Non-compliance with general data processing principles
- Subject Rights: Insufficient fulfilment of data subjects’ rights
- Info Oblig: Insufficient fulfilment of information obligations
- Uncoop w/ Suprv Auth: Insufficient cooperation with supervisory authority
- Breach Notice: Insufficient fulfilment of data breach notification obligations
- No DPO: Lack of appointment of data protection officer
- Proc Agmt: Insufficient data processing agreement
However, in terms of the value of fines, Insufficient legal basis for data processing is the largest category with fines amounting to over €164 million and over 210 instances, the plot reveals the range and volume of the fines with the bulk of the fines being less than €6 million. The larger amounts include:
- Google Inc. at €50 million (ouch!)
- H&M Hennes & Mauritz Online Shop of €35.2 million
- TIM telecom mentioned above at €27.8 million
- Wind Tre telecom of €16.7 million
- notebooksbilliger.de at €10.4 million
To assume that once an organisation receives a fine, a DPA won’t be returning for a while is fallacious and potentially costly. Vodafone España has accumulated over 30 fines in just 16 months, culminating in over €1.45 million euros with the most recent delivery landing on February 12th (perhaps with a box of Valentine’s chocolate cherries). Vodafone Italia S.p.A. has also received some love with a €12.25 million fine in November 2020, along with smaller fines for Vodafone Romania and Vodafone ONO.
The second largest category of fines based on amount is Insufficient technical and organisational measures to ensure information security accounting for €64 million and over 120 instances. This category includes two items that account for approximately two-thirds or ~€42.5 million of the total amount:
- British Airways at €22 million
- Marriott International Inc. at €20.4 million
- 1&1 Telecom GmbH (related to 1&1 Ionos) for €900,000
See Part 2 for more…
GDPR Regulation: https://gdpr.eu/tag/gdpr/
Note: Fine analysis dataset is from inception (May 25, 2018) to February 21, 2021 Data source: enforcementtracker.com, provided by CMS Law. Tax, CC BY-NC-SA