2021 research by the DLA Piper: GDPR data breach survey states a 19% increase in the number of breach notifications, from 278 to 331 breach notifications per day, in the past year, continuing the trend of double-digit growth for breach notifications.
Although 2020 showed some increase in activity by data protection authorities, GDPR fines did not nearly reflect those data breach numbers.
At the same time, we see big tech giants like Facebook, Twitter, or Google that seem to be getting away with just a slap on the wrist.
Twitter was hit with a €450,000 GDPR fine, which many found to be significantly less than expected (and almost two years after the breach disclosure), leading to strong criticism of GDPR’s effectiveness.
There were a few other setbacks, like an 18 million euro GDPR fine for the Austrian Post that was overturned at the end of 2020 or a significant reduction in the amount of two most-talked-about fines (Marriot and British Airways), due to special circumstances of the Coronavirus pandemic.
However, the beginning of 2021 still suggests regulators will step up and test their powers.
Total amount of GDPR fines
The rough amount of all GDPR fines issued so far is currently a little over €292 million. Interestingly, both the smallest and the biggest fine to this date was issued to Google.
GDPR fines that are not publicly disclosed
There are also some GDPR fines (9 in total), where the amounts were not made public, so we cannot include them- four from Slovakia, two from Germany, two from Croatia and one from the Czech Republic.
Total amount of GDPR fines by country
By the end of 2020, Italy has issued almost €70 million in fines, showing that the Italian Garante is ready to tackle serious GDPR violations with high penalties.
In 2021 Italy is still holding the first position with a little over €76 million, followed by Germany €63 million, France €54 million, UK €44 million and Spain €25 million.
If we look at the countries with the lowest total amounts of GDPR fines, surprisingly, Austria is at the bottom with only Iceland, Isle of Man, Malta and Croatia behind- assuming that two Croatian fines that were not publicly disclosed were lower than €70.000.
Countries with the biggest number of GDPR fines issued so far
If we look at the activity of all EU data protection authorities, head and shoulders above everybody is the Spanish Data Protection Authority (AEPD) with 212 fines.
Altogether, the AEPD issued over €25 million in fines, thanks to two big fines issued recently to Banco Bilbao Vizcaya Argentaria (€5 million) and €6 million to CaixaBank – the highest GDPR fine the country has issued.
Two levels of GDPR fines
Before we jump over to the fines, a quick recap; there are two levels of GDPR fines:
• the lower level is up to €10 million, or 2% of the worldwide annual revenue from the previous year, whichever is higher
• the upper level is twice that size or €20 million and 4% of the worldwide annual revenue.
Since we don’t want to repeat ourselves (too much), you can read more about GDPR fine in general in our glossary.
5 biggest GDPR fines so far
Among EU member states, the highest individual GDPR fines were issued by France, Germany, Italy and the UK.
In the last year’s report, Austria was one of the leaders in the biggest individual GDPR fine issued so far. However, the order was changed after the beforementioned turnover of the fine.
1. Google GDPR fine – €50 000 000
On January 21 2019, the French National Commission on Informatics and Liberty (CNIL), fined Google a €50 million fine. Marking it as the biggest GDPR fine to this date, issued for violation of:
- Information to be provided where personal data are collected from the data subject – Article 13,
- Information to be provided where personal data have not been obtained from the data subject – Article 14,
- The lawfulness of processing – Article 6,
- Principles relating to the processing of personal data – Article 5
Therefore, the fine was issued because of a lack of transparency on how the data were harvested from data subjects and used for ad targeting.
Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed.
2. H&M GDPR fine- €35 258 708
The Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) issued a €35,3 (or $41,5) million fine to Swedish retail conglomerate Hennes & Mauritz – H&M, for the violation of the General Data Protection Regulation (GDPR).
After a technical error, the issue became public. The data on the company’s network drive was accessible to everyone in the company for a few hours. The press picked up the news making the Commissioner aware of the violation.
The case is pretty interesting since the company collected sensitive personal data of their employees through whispering campaigns, gossip, and other sources to create profiles of employees and used that data in the employment process.
The personal data included medical records including diagnoses and symptoms of the illness and private details about vacation and family affairs.
3. TIM GDPR fine- €27 800 000
January 15, 2020, was a critical day for Italian telecommunications operator TIM. The Italian DPA Garante issued a €27,8 million GDPR fine for quite an extensive list of violations. The scope of their illegal activities is hard to ignore. They have contacted non-customers multiple times (certain numbers over 150 times per month) without proper consent or other legal bases.
Few million individuals were affected by their aggressive marketing strategy. Violations included:
- Improper management of consent lists
- Excessive data retention
- Data Breaches
- Lack of proper consent
- Violation of GDPR rights.
The personal information included name, surname or company name; tax code or VAT number; telephone line; address; contact details.
We recommend you read an entire article that explains this case in detail:
4. British Airways GDPR fine – €22 046 000
What was initially announced as the biggest GDPR fine ever issued ended up being reduced to £20 million, in light of the recent COVID-19 pandemic and its effect on the airline industry.
The incident occurred in July 2018 but was only discovered in September 2018. In those few months, the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers stealing personal data of more than 400.000 customers.
According to the ICO official statement, “…investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.”
The company had inadequate security mechanisms to prevent such cyber-attacks from happening. The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.”
5. Marriott International GDPR fine – €20 450 000
In July 2019, ICO issued an intent to fine Marriott International £99 million fine for infringements of the GDPR. The fine was related to the cyber attack, exposing personal data of over 339 million guest records.
Out of those 339 million individuals, 31 million were residents of the EEA.
Marriott international exposed itself to the cyber-attack after the acquisition of the Starwood hotels group.
The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures.
On October 30, 2020, the ICO issued a penalty notice explaining their decision. After more than a year, there is finally a conclusion to the ICO investigation, the fine is settled from a massive £99 million to £18, 4million.
In their penalty notice, the ICO explains the reasons behind the decision taking into account a range of mitigating factors and the impact of the Covid-19 pandemic.
Marriott also commented on the decision on their official website stating:
“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognizes. The ICO also recognizes the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
In 2020, Marriott suffered another data breach, this time affecting 5.2 million individuals. Read more about the second Marriot breach:
GDPR fines so far -conclusion
This is the up to date and current list of biggest GDPR fines so far, but the list is constantly changing indicating a lot of activities from data protection authorities. As the DLA Piper report is stating:
“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime.”
An important takeaway from the recent ICO decision to reduce the fine for British Airways shows that regulators are adjusting to the special circumstances of the current global situation. What remains to be seen is will other data protection authorities follow?
How can you become compliant faster?
Data Privacy Manager is a modular solution that tackles real day-to-day challenges of small, medium-sized companies and enterprises, and can help you with:
✅ central management and connectivity with other systems
✅ collaboration through all organizational units
✅ automated data removal
✅ managing compliant record of processing activities
✅ risk-free third-party management
Try a 14-day free trial of the Data Privacy Manager and experience how you can simplify managing records of processing activities and risk assignment!