Just over three years ago, the GDPR was passed into law. Contrary to the scare before its enforcement, fines weren’t exactly issued left and right on day one – but they’re now finally picking up speed.
The GDPR allows the EU’s Data Protection Authorities to issue fines of up to €20 million ($24.1 million) or 4% of annual global turnover (whichever is higher). Ιt is safe to assume that in 2018 authorities allowed for an initial adjustment period for both data controllers and themselves. During that phase, relatively few fines were issued.
Since 2019 there has been a steady rise in the overall number of fines. Also, since 2020 there has been noted an impressive rise in their amounts. Industry and Commerce, Media and Telecommunications, and the Public Sector are the most affected. This summer has been very eventful for Big Tech. in July 2021 Amazon was hit with the biggest GDPR fine issued to date, which amounts to €746 million ($887 million). Moreover, last week a long-awaited action by the Irish Data Protection Authority hit the news: Facebook-owned WhatsApp Ireland received a €225 million ($267 million) fine, making this decision the second biggest ruling against the Tech Giants.
In this article, we aim to offer an overview of the Data Protection Authorities’ (DPAs) practises regarding the issuing of fines. Please keep in mind that the statistical data mentioned below refer to the fines published by the DPAs, regardless of whether these fines have been appealed or not, and regardless of whether their receivers have paid them or not.
What are the most common fine types?
The DPAs across Europe have issued fines for various violations of the GDPR. Let’s take a look at which ones are trending.
First, not having a sufficient legal basis for data processing is the most common violation, for which there have been 278 fines issued so far. The sum of these fines amounts to approximately 176 million euros. Also, this was the case for the fines issued to Google (2019), H&M (2020) and Italian Telecom (2020).
In the second place regarding the total number of fines, there is lack of sufficient technical and organisational measures to ensure information security (163 fines). The sum of these fines amounts to approximately 67.5 million euros. This type of violation was the reason for the big fines issued to British Airways and Marriott International, Inc in 2020.
Also, fines for non-compliance with general data processing principles occupy third place in the number of fines (161), while the sum of such fines has reached the amount of approximately 780.5 million euros. This was also the violation for which Amazon received the biggest fine issued since the GDPR came into effect.
Moreover, there have been 72 fines for insufficient fulfilment of data subject rights, 56 for insufficient fulfilment of information obligations and 32 for insufficient cooperation with the supervisory authority.
Which DPAs have shown the most activity in issuing fines?
DPAs across Europe are in charge not only of supervising and penalising institutions but also of acting as advisors. Therefore, instead of imposing a fine, they will often ask the organisation found to have violated the GDPR to take corrective measures.
Some DPAs are more willing to hand down fines than others. Thus far, the Spanish DPA has shown the most activity in terms of issuing fines, with a total of 281 fines. Other countries with comparatively high fine activity are Italy, Romania and Hungary. Comparing the data from the different DPAs, it is not easy to tell what the differentiating factors are. Some of them follow a practice of issuing many fines of low amounts (the sum of fines issued by the Spanish DPA does not exceed the amount of €32,620,000), while others choose to publish few, but very big fines. The Luxembourg DPA serves as the perfect example here: its recent fine on Amazon makes up 70% of all GDPR fines and was only the 11th it ever published.
This may either be because some countries may have allocated more staff to their DPAs. Or maybe the staff of some DPAs are more focused on pursuing violations than that of other countries. Another potential explanation could be that the focus of the different DPAs is different: while some may put more emphasis on consultation before fining, others may combine the approaches and issue fines directly.
On the other side, some DPAs show little willingness to investigate complaints about large companies and issue fines. The Irish Data Protection Commission, the most disputed DPA in the European Union, had received criticism for overseeing data protection violations by some of the world’s largest firms, including Google and Facebook. Its recent decision to fine WhatsApp Ireland for insufficient fulfilment of information obligations (put simply, they do not inform EU citizens properly on how they use their data and how they share it with Facebook) is praised by privacy experts all over Europe as a good first step forward.
How are fines calculated?
There is no common framework for the calculation of possible fines. However, the German and the Dutch DPAs have proposed calculation models. The German model takes into account the basic economic value of the company and the severity of the violation, while the Dutch one considers the latter to be the most important factor. In both models, the severity of the violation is rated in four categories using the criteria established in article 83.2 of the GDPR. Some of the aspects to be considered in particular when evaluating the severity of the violation are:
- the type, extent and purpose of the data processing
- the categories of the personal data concerned
- the number of the persons concerned and the extent of the damage suffered
- the intent or negligence of the infringement
- the measures taken to mitigate the damage
Regarding the amount of the fines, there is no clear trend because they are decided on a case by case basis. However, some DPAs are working on creating models for consistent and comparable fines for comparable cases.
All institutions and companies doing business in the EU are advised to continuously monitor and improve their security measures, as data protection will continue to be closely monitored by the authorities. It is safe to assume that the gradual establishment of best data processing practices and the possible strengthening of the staff of the DPAs will lead to more fines in the future. We are only beginning to see the true power with which the GDPR has entrusted the DPAs.