Ever since the General Data Protection Regulation Act (GDPR) was introduced, the data regulators in the European Union (EU) have imposed sizable penalties on various organizations that misused or failed to protect customer personal information.
GDPR requires organizations that handle customer personal data to follow certain guidelines and transparency in the way they collect, store, and use the data collected from customers. It has restricted businesses from using their customer data without consent. Owing to the fear of high penalties, most organizations are now focusing more on user data protection and data privacy.
The data protection authorities in the EU have issued 661 fines for a total of €292 million (approximately US$35,65,13,020) in the three years since the GDPR took effect (on May 25, 2018). According to a recent analysis from Privacy Affairs, Italy received the highest fines (€76,217,601), followed by France (€54,661,300), Germany (€49,186,833), the U.K. (€44,221,000), and Spain (€29,372,510). While Spain issued the greatest number of GDPR fines (222), Italy issued 73 penalties, followed by Romania with 54 fines, Hungary with 39, and Germany with 30. All the 28 EU nations, including the U.K., issued at least one GDPR fine.
Top Five GDPR Fines
- The highest GDPR fine to date remains at €50 million (about US$61 million) imposed by the French data protection regulator on Google, for alleged infringements of GDPR’s transparency principle and lack of valid consent., followed by Germany with 32.2 million and Italy with 27.8 million.
- Popular fashion retailer Hennes & Mauritz Online Shop A.B. & Co KG (H&M) was fined €35.2 (about US$41.1 million) by the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) for violating the General Data Protection Regulation (GDPR).
- The Italian Data Protection Authority (Garante) imposed a €27.8 million (US$31.5 million) fine on telecommunications operator TIM for violation of the GDPR guidelines.
- British Airways was fined €22 million (approximately US$26 million) for failing to protect its customers’ sensitive information in a cyberattack in 2018.
- Marriott International Inc. was penalized €20 (around US$24 million) for failing to protect the personal data of millions of its customers.
The Highest Fines Issued to Private Individuals
- €20,000 (US$24,420) issued to a private person in Spain for unlawful video surveillance of employees.
- €11,000 (US$13,431) issued to a football coach in Austria who was found to be filming female players in the shower.
- €9,000 (US$10,988) issued to a person in Spain for illegal video surveillance of employees.
- €2,500 (US$3,052) issued to an individual in Germany who sent out emails to several persons, where each could see the other recipient’s email addresses.
- €2,200 (US$2,686) issued to a person in Austria for having illegally filmed public areas using a personal CCTV system.
“While GDPR sets out the regulatory framework that all EU member states must follow, each state legislates independently and is allowed to interpret the regulations differently and impose their own fines to organizations that break the EU law,” the report from Privacy Affairs stated.
Rising GDPR-related Breaches
A survey by multinational law firm Linklaters revealed that GDPR-related data breach notifications across European countries have increased by 66%, compared to the first year of the GDPR (from May 25, 2018, to May 24, 2019). The analysis stated that the surge in data breach notifications is because the companies were aware of their data security obligations.