In effect since May 25, 2018, the GDPR is the world’s most stringent piece of pro-user data privacy legislation ever passed. Thanks to Facebook’s apparent disregard for user privacy, and the media attention the Cambridge Analytica scandal garnered last year, the GDPR arrived at an interesting time.
Ironically, Facebook barely escaped GDPR persecution for their transgressions. Had the Cambridge Analytica scandal occurred after GDPR implementation, officials project it would have cost them billions of dollars under the purview of the new regulation.
While it’s unlikely your business would ever get hit for such a high fine (because maximum penalties are up to €20 million or 4% of global revenue, whichever is higher), if you’re serious about avoiding GDPR backlash, it’s wise to learn from the mistakes of others.
Read on to discover who hands out the fines set forth by the GDPR, and which businesses have already taken a beating at the hands of this privacy legislation — so you can avoid a similar fate.
Who enforces the GDPR?
The EU permits each member state to adjust its enforcement policies to fit within their pre-existing systems, with the EU Data Protection Board (EDPB) ensuring the GDPR is applied consistently across the continent.
Each member state must have a Data Protection Authority (DPA), which operates as its primary voice regarding GDPR enforcement. DPAs are responsible for wielding the lofty fines laid out in the regulation, and also function as a company’s point of contact if they have any compliance-related questions.
Current GDPR fines by country
Since GDPR came into effect, the penalties imposed have totaled €56 million (~$63 million). A massive 90% of this total cost belongs to Google, which was fined €50 million in January 2019.
Although the tech giant’s fine is the most headline-grabbing, numerous other companies have been hit across Europe. Many countries in the EU had been working hard to prosecute privacy breaches for years, and the GDPR finally gave them the ammunition to litigate offenders.
Let’s start with the big one: the Google GDPR fine.
France's data protection agency, the Commission Nationale de l’Informatique et des Libertés (or CNIL), imposed a penalty of €50 million on Google for lack of transparency and consent, because the tech giant didn't disclose how users’ data was collected for advertising when they set up an Android phone.
Consent and transparency are key concepts of the GDPR. For example, the average user should understand and agree to how their data is being processed, and information about this should not be hidden behind multiple clicks, or disguised in legalese. By not being clear about how they processed user data, Google failed to obtain valid consent — and paid the price.
Google could have easily avoided this fine if it had fulfilled the accessibility requirements laid out by the GDPR. Knowing how to gather the appropriate type of consent from your customers is a key part of compliance — it’s crucial that users are fully informed about what data-processing practices they’re agreeing to, and it should be easy for them to withdraw their consent at any time.
Spanish soccer league LaLiga fell foul of the GDPR in June 2019 when a supposed anti-piracy measure resulted in a fine of €250,000 for spying on fans.
To prevent bars from showing matches illegally, LaLiga included a feature in its official app that activated the device’s microphone during game times to listen in for a match being shown on TV in the background. If audio from a game was detected, it was then compared with GPS location data to determine if the venue had a valid license.
The process used technology similar to the music app Shazam, which lets users identify songs by holding their phone near a speaker. Except in this case, soccer fans had no idea their phones were listening, and they were unintentionally becoming informants.
LaLiga argued that it did explain this feature in the terms of service, and that the app only listened for a certain sound footprint and discarded the other data.
Nonetheless, the Spanish data protection authority deemed that to fully meet the GDPR’s transparency requirements and avoid the penalty, LaLiga should have informed users each time the microphone was activated.
The UK's Information Commissioner's Office (ICO) is one of the more aggressive data privacy advocates currently operating in Europe. While they haven’t levied any penalties for GDPR violations yet, more than 14,000 breaches have been logged since the GDPR came into effect.
If the ICO’s record of enforcing fines under the previous Data Protection Act (DPA) is anything to go by, they’ll likely drop the hammer on several businesses before 2019 is over.
The ICO has been emphatically enforcing data privacy rules, so it’s clear they’re ready to wield the GDPR in court. For instance, the ICO has also hit various companies for sending out marketing emails without client consent — a violation that the GDPR does not take lightly.
Some of the DPA-issued violations include the following:
- British Telecom (BT) was hit with a £77,000 (~$97,000) penalty for launching over 5 million emails pushing various charities.
- A marketing agency named Everything DM Ltd got hit for £60,000 for sending out promotional emails from their clients’ email addresses, giving recipients the impression that the client sent the email (instead of a marketing agency).
- Domestic airliner Flybe received a £70,000 fine for an email campaign that involved over 3.3 million emails to customers who explicitly did not give their consent to receive marketing emails.
- Honda was also penalized, receiving a fine of £13,000 for emailing thousands of customers who made it clear they didn’t want to receive emails.
Furthermore, the ICO's prosecution of Facebook was international news. As mentioned, the existing sanctions against Facebook were governed by prior law, so the assessed fines were much smaller than they would have been, had they been imposed following GDPR enforcement.
As GDPR enforcement continues to ramp up, the UK will be the country to watch.
Empowering users is a core part of what the GDPR is about — and the EU has been clear that proportionate fines will be levied when companies fail to protect users’ personal information from breaches.
A recent example of this is the case of German social networking site Knuddels.de, which was fined €20,000 in November 2018 after a hacker attack compromised the personal data of 330,000 users. The attack was only possible because the site had stored unencrypted passwords in plain text, thereby falling far short of the GDPR’s high security standards.
However, due to earnest action to rectify the mistake, Knuddels avoided a much larger fine. The German data protection authority noted the company's cooperation and the hundreds of thousands of euros it spent on improving security architecture. While ignoring regulations can result in a serious lawsuit, making a legitimate effort to follow the rules will help most companies in the EU avoid GDPR fines.
Final thoughts — more fines are coming
While the GDPR may have only recently passed its one-year anniversary, there’s no doubt that more fines are coming soon. In fact, analysts predict that the number of fines will soar once regulators catch up on their backlog of breaches.
Facebook is still dodging the biggest penalties — it was recently fined €1 million by the Italian data protection watchdog in the ongoing Cambridge Analytica debacle. But once again, the fine was relatively minor because GDPR was not in effect when the offence was committed.
Zuckerberg’s luck may run out soon if Facebook transgresses again in the new GDPR climate. Other US businesses subject to GDPR compliance should be equally cautious. If the fines discussed in this article are a sign of things to come, they indicate that the GDPR takes the rights of users seriously and doesn’t discriminate.
If you're concerned about how your enterprise would survive a DPA audit, seek legal assistance as soon as possible.