You may also like
Europe's General Data Protection Regulation was introduced in 2018 with much fanfare, yet many companies have decided to risk penalties rather than undertake the hard work of compliance.
GDPR fines – The good, the bad and the unexpected
Coming into effect in 2018, it aims to give individuals control of their personal data and requires businesses and organisations controlling personal data to put in place appropriate technical and organisational measures to protect that data. Penalties for those in breach of the GDPR can be steep – with fines of up to the greater of €20m or 4% of worldwide turnover.
A year in, the number of fines issued under GDPR are few, however. Here are three of the early penalties issued.
Google is rightly admired around the world for many things. Since emerging as a dominant force in the internet search space in the late 1990s, it has diversified into a highly successful player in mapping, video (YouTube), online advertising, cloud storage, statistical analysis (Google Analytics), operating systems, web browsers (Chrome), mobiles phones and tablets and even driverless cars.
But Google is also the owner of a €50m fine imposed under the GDPR in late January 2019. Levied by France’s data regulator, CNIL, the penalty relates to Google failing to provide enough information to users about its data consent policies and not giving them enough control over how their information is used. In a nutshell, Google failed to meet GDPR requirements that users give ‘genuine consent’ before their information is collected, which means making consent an explicitly opt-in process that’s easy for people to withdraw. Google’s fine might sound mind-boggling, but in reality, it’s a drop in the ocean compared to what the tech giant could have faced. If you took the four per cent of revenue approach, the hit for Google – which has worldwide turnover north of $US100bn – would be in the billions, rather than the millions.
The first (and maybe the strangest)
Here’s a reminder that the GDPR isn’t only about the online world. The very first fine issued under the new regulations arrived just months after they came into effect and was levied on an Austrian entrepreneur running a sports betting café.
Their crime? Installing a CCTV camera that filmed more of the pavement than was allowed under privacy laws. It was also found that the surveillance was not sufficiently publicised, violating transparency obligations under the GDPR, and that there had been no personal image data deletion within 72 hours.
European Data Protection Supervisor Giovanni Buttarelli had flagged that the first GDPR fines were likely to be announced before the end of 2018, but it seems unlikely the Austrian penalty (which became public in October of that year) was what the European public would have been expecting. The ultimate fine for the CCTV transgression was less than €5,300 – putting the café's annual turnover at something like €132,000.
Not exactly a big fish – although that would come with Google.
When the ‘little details’ bite
Here’s a tip for anyone wanting to test out the GDPR: you’d best have a very good reason for not complying with any of the regulations. Consider the case of a data controller – later identified as Bisnode – which was fined €220,000 by the Polish Personal Data Protection Office in March 2019.
In essence, Bisnode was fined for failing to inform more than six million people that it was processing their data. Of the 90,000-plus people that Bisnode did inform, some 12,000 complained. But it’s in the further details that things get really interesting: the 90,000 Bisnode did inform were individuals the company had email addresses for, while there were another 200,000 people for which Bisnode only had a mobile telephone number and another six and half million people for which they only had postal details.
Bisnode claimed that it would have been too expensive to individually contact all the people for which it did not have email addresses and that doing so would cost more than its entire turnover for 2018. Its nod to those people was instead to have a statement titled 'Data and privacy'/'Information on the processing of personal data' under a tab on its website (this actually met some aspects of GDPR compliance). But the Polish data regulator has disputed that it would have taken ‘disproportionate effort’ for Bisnode to contact parties without email addresses and has ruled that the company flouted compliance for its own financial gain.