GDPR fines skyrocket as regulators crack down on privacy violations

No more pandemic-era reprieve. Three years after the General Data Protection Regulation took effect, European regulators are serious about enforcing it.

According to an eye-popping report from Finbold, GDPR fines topped 984 million euros (more than $1.1 billion US dollars) in the third quarter.

That’s nearly 20 times higher than the total fines in the first two quarters of this year, and three times more than the 306 million euros imposed by EU regulators during all of last year.

The report cites factors behind the high Q3 numbers, including the fact that GDPR investigations can take a long time — they could have started months or even years ago and only finished in the third quarter. And after apparently taking a lenient approach during the pandemic, regulators are back in action now as economies recover and businesses regain their footing.

Biggest GDPR fines: Amazon tops the list

GDPR, which took effect in May 2018, places stringent requirements on organizations that collect the data of EU citizens. It gives EU authorities the ability to fine a company as much as 4% of its total revenue for GDPR violations.

Over the past three years, fines have been steadily increasing. To date, here are the top largest GDPR fines:

1. Amazon. In July, Luxembourg’s data-protection authority, the CNDP, imposed a 746 million euro ($867 million) fine against Amazon, accusing the e-commerce giant of GDPR violations. The investigation was initiated by a 2018 complaint by French privacy rights group; Amazon contested the charges and said it planned to appeal, according to Bloomberg.
2. WhatsApp. In September, the Facebook messaging app was slapped with a 225 million euro fine after Ireland’s Data Protection Commission concluded it violated GDPR’s transparency requirements. The fine came after a three-year investigation.
3. Google. In January 2019, authorities in France fined the tech behemoth 50 million euros, accusing it of failing to tell to users how it handles their personal information.
4. H&M. Last October, German data protection officials fined the clothing retailer 35 million euro for GDPR violations related to illegal employee surveillance.
5. TIM. Italian data protection officials levied a 27.8-million euro fine against the telecom operator after hundreds of complaints of unwanted promotional calls.

Luxembourg has imposed the highest total GDPR fines (746 million euro from 11 cases), followed by Ireland and Italy, according to Finbold analysis. Tech and telecommunications companies have incurred the highest fines.

GDPR wake-up call

When GDPR was enacted, businesses weren’t sure what to expect in terms of enforcement. By now, it’s clear regulators mean business.

While big tech and telecommunications companies have incurred the highest fines, a broad range of businesses have been investigated and fined for GDPR violations. The GDPR Enforcement Tracker run CMS, a global legal services firm, illustrates regulators’ wide scope.

Banks, bars, hospital, hair salons, and municipalities have incurred GDPR fines for violations like illegal data processing, insufficient data security, and general non-compliance.

Last month, data protection authorities in Spain fined a hairdressing salon 1,000 euros for failing to disclose how it handles personal data. Denmark officials fined the Danish Cancer Society 107,000 euros for poor technical and organizational information security measures. And the National Bank of Greece was fined 20,000 euros for “insufficient fulfillment of data subjects rights.”

While the Finbold report notes that some companies appeal the GDPR rulings, which sometimes leads to fines being reduced or withdrawn, it also predicts that fines will continue to soar as regulators grow more confident about implementing GDPR guidelines.

Altogether, the regulatory activity puts businesses on notice that GDPR penalties are a growing risk. Along with a growing number of state privacy laws in the US, including the California Consumer Privacy Act, it highlights the need for organizations to make data privacy a priority. Consumers today demand it.