2021 research by the DLA Piper: GDPR data breach survey January 2021, states there was a 19% increase in the number of breach notifications, from 287 to 331 breach notifications per day, in the past year, continuing the trend of double-digit growth for breach notifications.
Altough 2020 was showing some increase in activity by data protection authorities, GDPR fines did not nearly reflect those data breach numbers.
At the same time, we see big tech giants like Facebook, Twitter, or Google that seem to be getting away with just a slap on the wrist. Just recently Twitter was hit with €450,000 GDPR fine, which many found to be significantly less than expected, and almost two years after the breach disclosure, which led to strong criticism of GDPR’s effectiveness.
Despite that and a few other setbacks, like an 18 million euro GDPR fine for the Austrian Post that was overturned at the end of 2020, or a significant reduction in the amount of two most-talked-about three-digit fines (Marriot and British Airways), due to special circumstances of the Coronavirus pandemic, the beginning of 2021 still suggests regulators will step up and test their powers.
Total amount of GDPR fines
The rough amount of all GDPR fines issued so far is currently a little shy of €275 million. Interestingly, both the smallest and the biggest fine to this date was issued to Google.
There are also some GDPR fines (7 in total), where the amounts were not made public, so we cannot include them, four from Slovakia, two from Germany, and one from Croatia.
Among EU member states, the highest individual GDPR fines were issued by France, Germany, and Italy. In the last year’s report, Austria was one of the leaders in the biggest individual GDPR fine issued so far. However, the order was changed after the beforementioned turnover of the fine.
Germany had two multimillion fines toping a little over €24 million (€9.55 million GDPR fine for 1&1 Telecom and €14.5 million GDPR fine to Deutsche Wohnen SE), while France is still holding the first position with the €50 million Google fine.
Total amount of GDPR fines by country
However, by the end of 2020, Italy has issued almost €70 million in fines, showing that the Italian Garante is ready to tackle serious GDPR violations with high penalties, leaving behind Germany, France, and the UK when it comes to the amount of aggregated fines.
Countries with the most GDPR fines issued so far
If we look at the activity of all EU data protection authorities, head and shoulders above everybody is the Spanish Data Protection Authority (AEPD) with 175 fines.
All together AEPD issued over €15,6 million in fines, thanks to two big fines issued recently to Banco Bilbao Vizcaya Argentaria (€5 million) and €6 million to CaixaBank – the highest GDPR fine the country has issued.
Two levels of GDPR fines
Before we jump over to the fines, a quick recap; there are two levels of GDPR fines:
• the lower level is up to €10 million, or 2% of the worldwide annual revenue from the previous year, whichever is higher
• the upper level is twice that size or €20 million and 4% of the worldwide annual revenue.
Since we don’t want to repeat ourselves (too much), you can read more about GDPR fine in general in our glossary.
5 biggest GDPR fines so far
1. Google – €50 000 000
On 21 January 2019, the French National Commission on Informatics and Liberty or CNIL, fined Google with a €50 million fine. This is the biggest GDPR fine to this date, issued for violation of:
• Information to be provided where personal data are collected from the data subject – Article 13,
• Information to be provided where personal data have not been obtained from the data subject – Article 14,
• Lawfulness of processing – Article 6,
• and Principles relating to the processing of personal data – Article 5
The fine was therefore issued on the account of lack of transparency on how the data were harvested from data subjects and used for ad targeting. Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed.
2. H&M – €35 258 708
The Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) issued a €35,3 (or $41,5) million fine to Swedish retail conglomerate Hennes & Mauritz – H&M, for the violation of the General Data Protection Regulation (GDPR).
The issue became public after a technical error, the data on the company’s’ network drive was accessible to everyone in the company for a few hours and the press picked up the news making the Commissioner aware of the violation.
The case is pretty interesting since the company collected sensitive personal data of their employees through whispering campaigns, gossip, and other sources to create profiles of employees and used that data in the employment process.
The personal data included medical records including diagnoses and symptoms of the illness as well as private details about vacation and family affairs.
3. TIM – €27 800 000
January 15, 2020, was a critical day for Italian telecommunications operator TIM. The Italian DPA Garante issued €27,8 million GDPR fine for quite an extensive list of violations. The scope of their illegal activities is hard to ignore. They have contacted non-customers multiple times (certain numbers over 150 times per month) without proper consent or other legal bases.
Few million individuals were affected by their aggressive marketing strategy. The activities involved: Improper management of consent lists ❌Excessive data retention ❌Data Breaches ❌Lack of proper consent ❌Violation of GDPR rights. The personal information included name, surname or company name; tax code or VAT number; telephone line; address; contact details.
We recommend you read an entire article that explains violations in detail:
4. British Airways – €22 046 000
In July 2019, the ICO initially announced its intention to issue €204,6 million (£183.39 million) to British Airways for violation of Article 31 of the GDPR. What was announced as the biggest GDPR fine every set in the UK, ended up being reduced to £20 million, in the light of a recent COVID-19 pandemic and the effect it had on the airline industry.
The incident occurred in July 2018 but was only discovered in September 2018. In those few months, the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers stealing personal data of more than 400.000 customers.
According to the ICO official statement “…investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.”
The company had inadequate security mechanisms to prevent such cyber-attacks from happening. The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.”
5. Marriott International – €20 450 000
In July 2019, ICO issued an intent to fine Marriott International more than £99 million for infringements of the GDPR. The fine was related to the cyber attack, in which personal data of over 339 million guest records, were exposed. Out of those 339 million individuals, 31 million were residents of the EEA.
Marriott international exposed itself to the cyber-attack after the acquisition of the Starwood hotels group. The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures.
On October 30, 2020, the ICO issued a penalty notice explaining their decision. After more than a year, there is finally a conclusion to the ICO investigation, the fine is settled from a massive £99 million to £18, 4million.
In their penalty notice, the ICO explains the reasons behind the decision taking into account a range of mitigating factors and the impact of the Covid-19 pandemic.
Marriott also commented on the decision on their official website stating:
“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognizes. The ICO also recognizes the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
In 2020, Marriott suffered another data breach, this time affecting 5.2 million individuals. Read more about the second Marriot breach:
GDPR fines so far -conclusion
This is the up to date and current list of biggest GDPR fines so far, but the list is constantly changing indicating a lot of activities from data protection authorities. As the DLA Piper report is stating:
“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime.”
An important takeaway from the recent ICO decision to reduce the fine for British Airways shows that regulators are adjusting to the special circumstances of the current global situation. What remains to be seen is will other data protection authorities follow?
How can you become compliant faster?
Data Privacy Manager is a modular solution that tackles real day-to-day challenges of small, medium-sized companies and enterprises, and can help you with:
✅ central management and connectivity with other systems
✅ collaboration through all organizational units
✅ automated data removal
✅ managing compliant record of processing activities
✅ risk-free third-party management
Try a 14-day free trial of the Data Privacy Manager and experience how you can simplify managing records of processing activities and risk assignment!