A look at the first big GDPR fines
Introduction
The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018. The regulation shook the world of commerce, bringing organizations across the globe into line with modern expectations of personal data protection and privacy.
In the run-up to the enactment of the regulation, there was much talk of the large fines associated with non-compliance. Let’s have a look at what the situation is vis-a-vis GDPR fines a year on — were companies right to be worried?
See Infosec IQ in action
The GDPR fine levels
Before beginning, here is a recap of what the two levels of GDPR fine are set at:
Level 1: Applied to data breaches and not implementing a Data Protection Impact Assessment (DPIA). This fine is set at 2% of annual global revenue or 10 million euros, whichever is higher.
To avoid a level 1 fine, the following are examples of where GDPR compliance must be met to avoid a fine:
- Ensuring that data protection “by design and by default” is performed (robust security measures)
- Keeping good records of data processing activities
- Demonstration of cooperation with the supervising authority (SA)
- Notification of a personal data breach to the SA
- Robust security when processing data
- Notifying the data subject of a personal data breach
- Performing a (DPIA)
- Designation, position or tasks of the Data Protection Officer, DPO (where applicable) (1)
Level 2: This level covers consent to process personal data (including consent for special categories). It also includes compliance with the eight data subject rights. This fine is set at 4% of annual global revenue or 20 million euros.
GDPR compliance: Where we are today
A year on, and according to Deloitte, only around 35% of organizations have achieved full compliance with the GDPR data breach notification process. This fact is exemplified in the European Data Protection Board (EDPB) first review, which identified 206,326 GDPR cases reported by supervisory authorities (SA).
The number of fines issued a year after enactment of the GDPR was 55,955,871 euros, according to EDPB. If you bring this figure up to date and include the major fines of 2019, such as those issued to Google and Marriott International (discussed below), the figure hits 359,205,300 euros (approx. $397,950,275).
Gaps in understanding of what the GDPR entails are still prevalent. Certain areas of the legislation have continued to cause confusion: for example, marketing emails, consent and the area of “legitimate interest.” An EU survey on GDPR know-how found that 57% of organizations understand they have an organization responsible for data protection in their country, but only around 20% of them could identify who that was.
It isn’t just small organizations that have gaps in GDPR knowledge. Enterprises of all sizes have struggled to adhere to the remit of the legislation. The result is some eye-watering fines.
Significant GDPR Fines
Here are some of the biggest fines, to date, issued because of non-compliance with the GDPR:
Marriott International: $125 million, data breach
The Marriott data breach of 2018 resulted in the exposure of 339 million customer records. Around 30 million of the records belonged to EU citizens, and therefore they became subject to a GDPR fine. The types of personal data exposed included names, addresses, phone numbers, email addresses and passport numbers. The UK’s Information Commissioner's Office (ICO) issued the fine.
Google: 50 million euros (approximately $55 million), various non-compliance around data subject rights
Google was fined $55 million because of several GDPR violations. Google was deemed to not comply with article 12 of GDPR, which requires certain levels of transparency, clarity and intelligibility of personal data. Google also showed derogation of duty around Article 13 in providing information to data subjects.
One of the major non-compliance issues that Google demonstrated was in the serving of Google ads. Google was found wanting in its obligation to show a legal basis for ad personalization. They also did not gather consent in a GDPR-compliant manner. The fine was issued by France’s National Data Protection Commission (CNIL).
British Airways (BA): £183 million (approximately $221 million), data breach
A data breach at British Airways resulted in the exposure of almost 500,000 customers’ data. The data exposed included login credentials, payment card data, name, address and travel booking information. The UK’s ICO issued the fine.
Haga Hospital: 460,000 euros (approximately $510,000), poor security measures
A review by the Dutch DPA of Haga Hospital found the hospital to be in breach of Article 32 of the GDPR, which focuses on the level of security used to protect personal data. The fine was issued by the Dutch Data Protection Authority (DPA).
Sergic: 400,000 euros (approximately $443,000), poor security measures
Sergic, a French real estate company, was fined for poor access control measures allowing personal data to be accessed in a public domain. The fine was issued by CNIL.
Facebook …
Facebook recently was issued with the “mother of all fines” by the Federal Trade Commission (FTC). This $5 billion fine was for privacy violations. It was around 20 times higher than the largest GDPR fine at the time it was issued.
However, this was not a GDPR-related fine. Not this time, anyway. At the time of writing, the Irish Data Protection Commission (DPC) was investigating Facebook for GDPR violations. The DPC is also looking at the data breach impact at WhatsApp and is shining yet another light on Google.
Will there be more GDPR fines to come?
The general feeling is that organizations have made good attempts at meeting the requirements of GDPR but there is still some way to go. The fact that almost $398 million worth of fines have already been issued confirms this.
It is true that much of this figure has been made up of the really massive fines given out by various EU jurisdictions. However, many smaller fines have been issued to smaller organizations. The impact of these on SMBs can be as much, if not more, than the major fines against multinational corporations. No doubt, the Irish DPC will be in the news soon with a conclusion on Facebook’s adherence to the GDPR.
Phishing simulations & training
Further reading
Lexology keeps a running total of GDPR fines, by country, here:
Sources
- Deloitte General Data Protection Regulation benchmarking survey: Deloitte publishes results of EMEA-wide survey on GDPR readiness, Deloitte
- First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities, EDPB
- Major GDPR Fine Tracker – An Ongoing, Always-Up-To-Date List of Enforcement Actions, Alpin
- Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach, ICO
- Article 13, EU GDPR: "Information to be provided where personal data are collected from the data subject", privacy-regulation.eu
- The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC, CNIL
- Customer data theft, British Airways
- Article 32, EU GDPR: "Security of processing", privacy-regulation.eu
- CNIL issues 400K euro fine for GDPR violations, IAPP
- Statement of Chairman Joe Simons and Commissioners Noah Joshua Phillips and Christine S. Wilson, In re Facebook, Inc., July 24, 2019, FTC