Since its inception in 2018, the General Data Protection Regulation (GDPR) has transformed the privacy landscape across the European Union beyond all recognition.
After a slow start, with regulators initially struggling to get up to speed, steadily evolving jurisprudence and growing enforcement has since strengthened the GDPR’s position as a global pioneer in data protection, handing consumers back an unprecedented level of control over their personal information.
2022 has been a significant year for data protection in Europe. With collective GDPR fines reaching a record high, it is clear that regulators are taking enforcement more seriously than ever. Despite this, companies are still getting it wrong - and often in a big way. With repeat offenders popping up again and again, questions remain over the efficacy of fines as a deterrent to those with the deepest pockets.
With a slight decrease in the total number of fines issued from 2021, this year saw a focus on the most severe breaches, with several landmark penalties levied against some of the biggest household names in big tech. However, approaches between member states varied considerably, with some authorities recording far higher numbers of smaller “open and shut” regulatory matters.
Whilst these differences are a sign that many regulators are still finding their feet when it comes to focusing their resources, the general direction of travel is clear - as the GDPR enters its fifth year, any grace period is well and truly over, and the net is tightening on companies who are still falling on the wrong side of the line.
In this article, we explore the importance of the GDPR within the wider context of global privacy laws, before taking a deep dive into the six biggest fines handed out in Europe over the past year - and how to avoid becoming one of them as you move forwards into 2023.
Why is the GDPR so important?
What is so special about the General Data Protection Regulation (GDPR) that it has become the gold standard of data privacy regulations?
First, it sets a global example.
With many countries across the world still playing catch up with the advancement of technology, the GDPR is widely viewed as an exemplary regime when it comes to data protection.
With many places (including the US and Australia) still a long way from adopting federal privacy laws, the GDPR’s comprehensive jurisdiction across the EU has given unique authority to its regulators - setting a powerful example for others. Put simply - where the GDPR goes, other regimes tend to follow.
Secondly, it affects almost everyone
Not only does the unified nature of the GDPR mean that European citizens can enforce their rights against any company within Europe, but its scope also extends far beyond EU borders, also protecting them when their information is processed by organizations anywhere else in the world.
This means that, effectively, the GDPR is a global concern for any and all individuals and businesses - anywhere in the world - whose goods or services might be accessed by European citizens.
What are the maximum privacy fines under the GDPR?
The GDPR carries some of the most stringent penalties for data offenses anywhere in the world. Fines are not the only remedy on the menu (with companies also on the receiving end of data processing bans and orders to remedy infringements) but monetary penalties arguably pose the greatest risk for companies handling consumer data.
Fines issued under the GDPR vary considerably, and are determined on the facts of each case. Their primary purpose is to serve as an effective and proportionate deterrent to future breaches.
As well as a two tier administrative fine system, the GDPR also provides the additional right for data subjects to seek private compensation through the civil courts where they suffer damage as a result of an infringement.
Lower tier fines
GDPR infringements are treated according to their severity and scale. Even the most “minor” breaches can be penalized by lower tier fines of up to either 10 million Euros, or 2% of the organization’s annual global revenue (whichever is greater). These fines are handed down in respect of the following:
Controllers and processors (Articles 8, 11, 25-39, 42 and 43): This includes any organizations who collect, control or process personal data. They must comply with a wide host of regulations including those governing consent, lawful basis for processing, and security.
Monitoring bodies (Article 41): The GDPR encourages the appointment of independent monitoring bodies to handle complaints and infringements. These bodies must ensure compliance with approved codes of conduct.
Certification bodies (Articles 42 and 43): The GDPR also encourages member states to appoint an accredited body to certify compliant organizations. These must comply with regulations around transparency and bias-free assessments.
Higher tier fines
Where infringements of data subject rights are more severe, fines can be imposed at up to double the amount of lower-tier penalties. Maximum higher tier fines can extend to up to whichever is greater - 4% of an organization's total global annual turnover, or 20 million Euros.
For large multinationals like Google and Meta, this can add up fast. Higher tier fines are handed down in respect of the most fundamental breaches which go to the core of the protection of privacy, including, amongst others:
The basic principles for processing (Articles 5, 6, and 9): These include transparency, accuracy, security, and prohibitions on sensitive data processing. If an organization cannot demonstrate a fundamental lawful basis for its processing, it will fall at the first hurdle.
Data subject rights (Articles 12-22): Central to the GDPR is the right of data subjects to access the information that an organization holds about them, and to have this data erased where applicable. Organizations who fail to facilitate this are likely to be penalized harshly.
The conditions for consent (Article 7): Consent is at the heart of the protection of consumer privacy. An organization must be able to clearly document that they have obtained consent from data subjects where they rely on its existence for data processing.
Transfer of data to third countries (Articles 44-49): Because the scope of the GDPR extends beyond EU borders, organizations who wish to transfer information elsewhere across the globe must demonstrate that the data will be safeguarded when it arrives - or face heavy penalties.
Scope of total global turnover fines
Higher tier fines can be bad news for multinationals. When assessing a total global turnover fine, regulators can take into account the entire corporate group to which the offending company belongs.
In the case of Meta, for example, which operates multiple subsidiaries in various jurisdictions, a fine for a breach within one subsidiary will not be limited to their turnover, but to that of the entire Meta group.
How are penalties under the GDPR calculated?
Some of the key factors which must be considered by regulatory authorities when dishing out fines under the GDPR include:
The gravity and nature of the offense, including who was affected, and how badly;
Whether or not the infringement was intentional;
Whether any actions were taken to mitigate the damage caused to those affected;
Whether the company took adequate precautionary measures to comply with the GDPR;
Whether the company has a previous history of compliance issues;
The extent to which the company cooperated to remedy the infringement;
The data category of personal information affected;
Whether the company provided proactive notification of the breach to their regulator;
Whether the company was certified as compliant and following codes of conduct; and
Any aggravating factors (including financial benefits gained from the breach, or losses avoided as a result of it).
Where and why did most of the biggest GDPR fines happen in 2022?
Notably, the countries with the highest total fines issued to date under the GDPR are entirely different from those that have issued the largest number of fines. Ireland, France, and Luxembourg lead the pack when it comes to the highest amounts levied, with Ireland issuing fines of almost 1 billion against Meta alone.
The picture is slightly different in respect of the total number of fines issued to date, with Spain, Italy, and Germany topping the list. Spain in particular has set a high regulatory bar, issuing hundreds of fines over the past year. The vast majority of these relate to relatively straightforward security matters in which non-compliance is both easy to spot and penalize.
Types of violation
By far the biggest fines handed out this year were in respect of non-compliance with fundamental data processing principles, with a large number also issued to organizations for failure to demonstrate a legal basis for their processing activities.
Because these types of infringements go to the heart of data subject rights, they also reflect the increase in six-figure penalties handed out throughout 2022.
It should come as no surprise that with technological innovation evolving at an ever faster pace, big tech is once again the biggest villain of the year.
The heftiest fines of 2022 went to organizations in the media, telecoms, and broadcasting industry for the third year running - a trend that looks set to continue.
What were the six biggest fines issued under the GDPR in 2022?
1: Instagram [Meta Platforms Ireland Limited] - Children’s data rights (28 July 2022)
- Total fine: 405 million Euros
- Country: Ireland (Irish Data Protection Commission)
- Breaches: Art. 5 (1) a), c) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 24 GDPR, Art. 25 (1), (2) GDPR, Art. 35 GDPR
A global household name, Meta is a multi-billion dollar heavyweight at the center of the social media landscape, with over 2.934 billion total users across its platforms as of July 2022.
In the second highest ever fine to be issued under the GDPR - and the first EU-wide ruling on children’s privacy rights, this landmark decision followed the unlawful public disclosure of personal data in respect of child users (between the ages of 13 and 17) of the Instagram platform.
The oversight allowed children to set up accounts through the business account feature, which set email addresses and phone numbers to public by default. The same information was disclosed in respect of new registrations for personal accounts. The regulator rejected Meta’s arguments that the disclosures met a legitimate interest and were necessary for the performance of their contracts.
Meta have voiced their opposition to the decision, which marks a key moment in the protection of the personal data of minors across Europe.
2. Facebook [Meta Platforms, Inc] - Data scraping (28 November 2022)
- Total fine: 265 million Euros
- Country: Ireland (Irish Data Protection Commission)
- Breaches: Art. 25 (1), (2) GDPR
It’s been a tough year for relations between Meta and the Irish regulator. Hot on the heels of the Instagram decision, the company found itself on the receiving end of yet another six figure fine, this time in respect of its Facebook platform. The case took the total fines levied against Meta in Ireland to almost 1 billion Euros over the past 12 months.
Following media reports of personal data from over 500 million Facebook users being leaked online, an inquiry was launched in April 2021 which concluded in November of this year.
Meta was found in breach of the principle of data protection by default, having failed to secure the processing involved in the Facebook search, messenger importer and Instagram contact importer tools between 2018 and 2019. This led to illegal “data scraping” of personal information by third parties.
3. Google LLC - Cookies (6 January 2022)
- Total fine: 90 million Euros
- Country: France (Commission Nationale de l'Informatique et des Libertés (CNIL))
- Breaches: Art 7 GDPR, Art. 82 Loi Informatique et Libertés
At the heart of the internet, Google handles over 70 percent of global online search requests, with an average of 90 billion visits per month. Although this decision was handed down on the last day of 2021, it was not published until January this year - and is a significant case to take note of.
In their decision, the CNIL imposed particularly heavy judgment on the company given the substantial financial benefit gained from increased acceptance rates, as its main revenue streams come from targeted advertising based on cookie monitoring.
As a specialist area of data law, cookie regulation technically falls within the scope of the ePrivacy Directive, and not the GDPR. However, because the issue of consent was central to the infringement at hand, the matter was brought within the remit of the consent mechanisms of the GDPR. Google also received a further 60 million Euro fine on the same day in respect of the same breaches in Ireland.
4. Clearview AI - Biometric monitoring (20 October 2022)
- Total fine: 60 million Euros per country
- Country: Italy (Garante per la protezione dei dati personali), Greece (Hellenic Data Protection Authority (HDPA), France (Commission Nationale de l'Informatique et des Libertés (CNIL))
- Breaches: Art. 5 (1) a), b), e), Art. 6, Art. 9, Art. 12, Art. 13, Art. 14, Art. 15, Art. 27 GDPR
Clearview AI is a facial recognition firm which collects images of individuals from across the internet to be sold to law enforcement authorities. With over 20 billion images in its database, the company creates a “biometric template” of data subjects - who are usually unaware that their images have been used.
The company was found guilty of unlawfully processing sensitive biometric and geolocation information without consent. They could not demonstrate any legitimate interest to justify the intrusion.
To add insult to injury, Clearview were also found guilty of unlawfully restricting people’s right of data access, limiting the scope of requests to a 12 month period and twice a year per data subject. They were frequently providing partial responses or none at all, particularly to those who made multiple requests.
In the final nail in the coffin of this case, Clearview were heavily penalized for failing to respond to the formal notice issued by the CNIL. This led to a substantially higher fine, and should serve as a warning to others that regulators are taking an increasingly dim view of poor cooperation with authorities.
5. Microsoft Ireland Operations Ltd - Cookies [Bing.com] (19 January 2022)
- Total fine: 60 million Euros
- Country: France (CNIL)
- Breaches: Art. 82 loi Informatique et Libertés
One of the biggest tech heavyweights on the planet, Microsoft has fallen foul of data protection laws on more than one occasion over the past few years. Just days before the close of 2022, the company landed itself the largest domestic fine of the year from the French regulator - for a remarkably similar offense to the Google matter just a few months earlier.
Microsoft were penalized for failing to provide users of the popular search engine Bing in France with a simple option for rejecting cookies - instead offering only a “de facto” button for users to accept cookies upon entering the site. The result was that user devices were effectively being tracked without consent - a breach worsened by the fact that the information gathered was in part used for lucrative advertising purposes.
Microsoft has been given three months to rectify the situation and provide users with a genuine opt out button at the point of use, under threat of further penalties of 60,000 Euros per day for failure to comply.
As in the Google case, cookie regulation in France technically falls under the scope of the ePrivacy Directive - but the core of the issue is user consent, which remains at the heart of the GDPR.
With this penalty consolidating a clear line of jurisprudence in this area, the writing is on the wall when it comes to the use of online cookies - it is likely that regulators will grant increasingly less leeway to companies who fail to protect customer rights in respect of online tracking and consent in the future.
6. Enel Energia - Telemarketing (19 January 2022)
- Total fine: 26.5 million Euros
- Country: France (CNIL)
- GDPR breaches: Art 31, Art 5 (1) and (2), Art 25(1), Art 6, Art 12(2)
Last but not least, the energy supply company kicked off the year with a hefty fine for violation of accountability, accuracy, transparency and fairness principles as part of extensive unlawful telemarketing activities. The decision in the Enel Energia case came after several years of lengthy investigations and requests for information by Italy’s regulating body.
The company was found guilty of making unsolicited marketing and promotional calls and emails to individuals, including to some who had explicitly opted out of receiving them. A litany of further breaches were also uncovered in the company’s processing of personal information through its website and apps, as well as those of its partners.
A recurring theme in many of the higher penalties issued this year, Enel Energia were also found guilty of failing to protect the right of data subjects to both access details of the data held about them, and to object to its use. The waters were muddied further with conflicting information provided to users about the identity of the company’s data controller.
Lack of cooperation with the regulatory investigation was once again a key aggravating feature in this case, increasing the penalty imposed.
Key takeaways and how to avoid GDPR enforcement action in 2023
Looking back at the biggest GDPR data privacy fines of 2022, we've been able to draw some insights and takeaways:
The data privacy landscape is getting tougher
It is clear that, as landmark decisions continue to create imposing precedents for the future, the GDPR is steadily gaining more teeth. It is worth noting that with many of the biggest decisions of 2022 coming off the back of several years of investigations, the reality is that many of these cases reflect practices which were happening years ago - and regulatory expectations will only rise as the legislation matures.
You don’t have to look far beyond European borders to see that the rest of the world is already starting to follow suit. With huge fines being issued globally this year against multinationals from China to California, and federal regulation being considered in the USA, the environment is only getting tougher for those who push the boundaries.
European regulators are coordinating their efforts
A number of the biggest fines issued this year spanned multiple EU jurisdictions, particularly in the Google, Instagram and Clearview AI cases. These matters have highlighted increasing coordination between regulators.
In the Instagram case, it has been speculated that the number of objections by member states to the initial decision in France, leading to central dispute resolution by the European Data Protection Board, was a factor in the increased amount of the final penalty. It seems likely that, where breaches affect multiple member states, there may be a higher risk of tougher sanctions looking forward.
Is the GDPR still working?
Despite the clear rising cost of getting data protection wrong, it remains to be seen whether the message is getting across for some of the worst offenders. As a case in point, the biggest fine of the year remains a drop in the ocean for Meta. Their repeated breaches beg the question of whether the deterrent effect is really working - or if fines are simply being factored in by multinationals as part of the cost of doing business.
However, whether they can afford penalties or not, it would be unwise for organizations to reduce their privacy obligations down to a purely financial consideration. With increasing reputational damage and loss of consumer trust starting to threaten the advertising revenue on which many of these big tech companies rely, there are far bigger stakes at play than can be seen in penalty data.
How can companies avoid GDPR enforcement action in 2023?
Whilst there are a whole host of issues to be unpicked from the collective penalties issued under the GDPR this year, here are some of our key insights:
It is clear that any attempt to make the process of refusal more complex than acceptance will be seen as an infringement on the right to freedom of consent. Violations will be looked upon particularly severely given the significant amount of revenue that can be generated from advertising from cookie data.
As the average age of online app and website users continues to fall, the Instagram case serves as a harsh reminder that any company that targets or includes children in their consumer base must be extra vigilant when it comes to privacy.
Children merit specific protection under the GDPR, and the high-profile nature of this case means that an extremely dim view is likely to be taken of any future breaches.
Monitoring and surveillance
With rising enforcement actions being brought against companies using various forms of monitoring and surveillance technologies, the Clearview case highlights the growing EU jurisprudence against those who gather sensitive data from subjects without consent.
Companies who are working with innovative technologies should be extremely careful in their due diligence to ensure that they identify and mitigate any risks to the rights and freedoms of consumers.
A recurring theme throughout many of the biggest cases of 2022 was the failure of data processors to cooperate with regulatory investigations.
The Clearview and Enel Energia cases both highlight an increasing lack of patience among regulators for companies who fail to respond to privacy notices - future offenders can expect this to increase penalties considerably. This is one of the biggest lessons of the year - once mistakes have been made, don’t make things unnecessarily worse by ignoring them!
Let's make sure you don't end up on the next list. Get in touch with our team to talk about your privacy and compliance challenges, and see how Didomi can help: