Most recent research by the DLA Piper: GDPR data breach survey January 2020, reported there had been 160,921 personal data breaches within the EEA, from May 25 2018, up until now.
However, the total amount of issued GDPR fines so far does not really follow those numbers. Despite the 160 something thousand violations reported to the supervisory authorities, issued fines were a little bit over €144 million, which is not that much.
The report continues with the most active EU member states, in the past 20 months. France, Austria and Germany banked the title, issuing the biggest GDPR fines, but with mostly one big penalty. To be fair, Germany had two multimillion fines toping little over €24 million.
Although, if the beginning of the year is any indicator, the citizens of the EU can sleep soundly, since there is an indication that other authorities will start being more proactive this year. Just like the Spanish Data Protection Authority (AEPD) and Italian Garante who both showed a lot of activities recently.
Before we jump over to the fines, let’s remind you of two levels of GDPR fines:
• the lower level is up to €10 million, or 2% of the worldwide annual revenue from the previous year, whichever is higher
• the upper level is twice that size or €20 million and 4% of the worldwide annual revenue.
Remember, the first GDPR fine issued by the ICO was actually to a pharmaceutical company- Doorstep Dispensaree pharmacy.
So, since the fines are not yet final, we will not include them on our list, but we still think they are worth mentioning:
In July 2019, the ICO announced its intention to issue a €204,6 million (183.39 million pounds) fine to the British Airways for violation of Article 31 of the GDPR. The incident occurred in September 2018, when the British Airways website diverted users’ traffic to a hacker website. This resulted in hackers stealing the personal data of more than 500.000 customers.
The company had inadequate security mechanisms to prevent such cyber-attacks from happening. The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.”
Also in July of 2019, ICO issued the statement of their intent to fine Marriott International for infringements of the GDPR. ICO explained the fine was related to the cyber attack, in which personal data of over 339 million guest records, were exposed. Out of those 339 million individuals, 31 million were residents of the EEA.
Marriott international exposed itself to the cyber-attack after the acquisition of the Starwood hotels group. The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures.
On 21 January 2019, the French National Commission on Informatics and Liberty or CNIL, fined Google with a €50 million fine. This is the biggest GDPR fine to this date was issued for violation of:
• Information to be provided where personal data are collected from the data subject – Article 13,
• Information to be provided where personal data have not been obtained from the data subject – Article 14,
• Lawfulness of processing – Article 6,
• and Principles relating to the processing of personal data – Article 5
The fine was therefore issued on the account of lack of transparency on how the data were harvested from data subjects and used for ad targeting. Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed.
January 15, 2020, was a critical day for Italian telecommunications operator TIM. The Italian DPA Garante issued €27,8 million GDPR fine for quite an extensive list of violations. The scope of their illegal activities is hard to ignore. They have contacted non-customers multiple times (certain numbers over 150 times per month) without proper consent or other legal bases.
Few million individuals were affected by their aggressive marketing strategy and some of the activities involved: Improper management of consent lists ❌Excessive data retention ❌Data Breaches ❌Lack of proper consent ❌Violation of GDPR rights
We talked about this case before in one of our blogs, so you can read the entire case here. In short, the Austrian Data Protection Authority, issued an €18 million GDPR fine (+ cost of the investigation in the amount of 1.8 million) to the Austrian national postal service on 23 October 2019. The biggest GDPR fine issued in Austria.
Austrian Post had created profiles of more than 3 million Austrian citizens, which accounts for over one-third of Austria’s total population. Personal preferences, political interests, addresses and, other information was collected and then sold to the Third Parties.
The highest German GDPR fine to date has been issued to a real estate company Deutsche Wohnen, on October 30, 2019. The fine related to the retention period of personal data was issued by the Berlin Commissioner for Data Protection and Freedom of Information. The company failed to provide GDPR-compliant data retention and data removal procedure for the personal data of the tenants.
The official statement clarified: “[…]the company used an archive system for the storage of personal data of tenants that did not provide the possibility of removing data that was no longer required.”
On December 9, 2019, another big fine was issued to another German company- 1&1 Telecom. 1&1 Telecom was fined for not taking appropriate action to prevent unauthorized parties from accessing customer data in their call centre.
The German Federal Commissioner for Data Protection and Freedom of Information (BFDI) indicated that anyone could get access to classified personal information on 1&1’s customers. By simply calling their customer service department and giving them the name and date of birth, you could easily access customer information.
This is related to the failure of taking appropriate technical and organizational measures to protect personal data and violation of Article 32 of the GDPR. Read more about GDPR fine for 1&1 Telecom.
5 biggest GDPR fines so far -conclusion
This is the up to date and current list of biggest GDPR fines so far, but we have a feeling that in 2020, this list is going to change a lot. As the DLA Piper report is stating:
“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime.”
So we believe there will be a lot more GDPR related activities in 2020.