Since May 25th, 2018 European Union General Data Protection Regulations (EU GDPR) came into effect; it has been established as the de-facto gold standard for privacy and personal data protection where organisations need to respect personal data and comply with data protection laws.
However, there are inherent complexities in terms of understanding, implementation and operationally to comply with country specific laws on an on- going basis. This is further complicated in case of trans-border flow of data between the two countries or at times multiple countries. As a result of this many global companies have not been able to follow the EU GDPR while implementing the personal data and data protection principles as enumerated in EU GDPR. Hence being in violation of EU GDPR, many organisations have been imposed with major level of fine by the Data Protection Regulator after establishing the fact that the companies have demonstrated non-compliance to EU GDPR. The Data Protection Regulator or Commissioner are appointed in each EU country. They are responsible for determining whether an infringement has happened, severity of the non-compliance to EU GDPR and finally the administrative fines to be levied under Article 83(Sec 4 & 5), EU GDPR.
May 25th, 2021 marked the third anniversary of the European Union General Data Protection Regulation (GDPR). Its advent is hailed as the benchmark of data privacy and security laws for setting forth an example of unified data protection regulation before the world, which previously was scattered and inapt for contemporary technological developments.
GDPR laid a staunch stance on the protection and privacy of personal data at a time when breaches were making the headlines on a daily basis With fines of up to 4% of annual global turnover levied against violation of its privacy and security standards, GDPR admonishes organisations anywhere in the world, so long as they target or collect data of EU residents. It is referred to as the strictest data protection law in the world.
For companies that were engrossed in rampantly abusing data processing of client information, it has been quite a struggle adapting despite the threats, begetting record-breaking GDPR fines reaching into millions of dollars. Brought into force to change the world for the better, it has tossed its fair share of challenges into the world of data privacy, impacting businesses across the globe.
GDPR violation and types of Administrative fines(Article 83)
Under Article 83(Sec 4 and Sec 5), GDPR, “the general conditions for imposing administrative fines” have been clearly defined for non-compliance of GDPR by the companies and businesses of all types.
GDPR fines have been structured to make non-compliance a costly mistake for businesses of all sizes. Much like a risk-based approach, rules pile up with an accruing database that a company processes.
As the violations don’t just limit to breach of information security, companies could find themselves at the opposite end of the law even for outdated systems and processes which need to comply.
GDPR states that companies must set a ‘reasonable’ amount of protection for personal data. However, the term ‘reasonable’ is not explicitly defined under GDPR. Ambiguity about the term whereas leaves the companies to self-interpretation, it provides the GDPR governing body with a broad leeway for penalties related to data breaches and non-compliance related to the Personal data.
Some of the most significant GDPR fines issued to date have arisen out of the mismanagement of personal data processing, including the concept of consent, respect for its privacy and disregard for data security.
Two different levels of fines outlined under Article 83(Sec 4 and Sec 5), GDPR:
Lower-tier fines(Article 83, Sec 4)
A lower-level violation of GDPR can result in fines of up to $11.03 million, or 2% of the annual turnover of the company, whichever is greater. Such penalties originate for:
- failure in having proper database security measures in place (Article 32)
- not implementing a data protection impact assessment (DPIA) (Article 35)
Higher-tier fines(Article 83, Sec 5)
A higher level violation can result in fines of up to $22.07 million, or 4% of the annual turnover of the company, whichever is greater. Such penalties relate to:
- data collection and usage (Article 5, 6 and 9)
- conditions of consent (Article 12-22)
- compliance with the data subject’s rights (Article 12-22)
Furthermore, the Art 84, GDPR refers to imposition of “Penalties” as well. It states the following:
- Member States shall lay down the rules on other penalties applicable to infringement ofthis Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83 and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.
- Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25th May 2018 and, without delay, any subsequent amendment affecting them.
How GDPR Administrative fines are determined?
Data protection regulators in each EU country are assigned the role to administer whether an infringement has occurred, based on which they can decide the severity of the penalty. Adhering to Article 83 of the GDPR, authorities use the following criteria to assess a GDPR violation and the pertaining amount of fine:
- a comprehensive diagnosis of the breach–what, how, and why of the infringement, including the number of people affected, the damage they suffered, and how long it took to resolve.
- whether the violation was intentionally executed or it occurred as a result of negligence?
- did the controller or processor initiate any actions to mitigate the damage suffered by data subjects?
- whether the organisation had any safeguards, privacy policies, or protections in place pursuant to Articles 25 and 32?
- non-compliance history of the organisation
- degree of cooperation with the supervisory authority during the discovery and remedy of the GDPR violation
- categories of personal data affected by the infringement. Was it sensitive data?
- whether the firm proactively notified the breach to the supervisory authority or any delay or confidentiality was made?
- whether measures referred to in Article 58(2) have previously been ordered against the controller or processor?
- whether the organisation followed the approved code of conduct or was previously certified?
- issues indirectly arising from the breach, like whether financial benefits were gained or losses were avoided as a result of violation?
The biggest GDPR Administrative fines
From its inception in May 2018 to January 2020, GDPR fines totalled $139 million. By January 2021, the total reported fines more than doubled to $332 million.
A GDPR data breach survey conducted by DLA Piper in 2021 revealed a 19% hike, from 278 to 331 breach notifications per day, from 2019-2020 compared to 2020-2021.
Over the course of three years, GDPR violations in Italy top the list, costing companies $91 million. France stands next to Italy, with $65 million. In third place lies Germany, where violations have amassed $58 million.
So far, on top lies Google Inc. with a $55 million fine issued to it on January 21, 2019; the lowest has been $33 issued against some unknown on November 18, 2020, in Hungary.
Out of 737 GDPR fines which have been imposed as of the publishing of this article, we shall study the data privacy transgressions by six high-profile organisations:
The day the GDPR came into force, two privacy rights groups, noyb( My Privacy is None of Your Business (noyb.eu) by Max Schrems and La Quadrature du Net (LQDN), filed a complaint against Google, claiming Google lacked a valid legal basis, as mandated under GDPR, to process user data for ad personalisation.
Option to personalise ads came, by default, pre-ticked, which the regulator found defying the GDPR rules. Upon investigation, the regulator found Google not obtaining clear consent to process data because “essential information” was “disseminated across several documents.” The ruling was aimed at Google’s business model which turns data collected from its search engines, Google Maps, and YouTube into serving narrowly targeted ads.
Setting a landmark for fines in GDPR history, the French data regulator CNIL fined Google $55 million referring to Articles 5, 6, 13, and 14 of GDPR, citing lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.
Retailer company H&M was found allegedly spying on its employees. It was collecting excessive records on the families, religion and illnesses of its workforce, which constitute sensitive data. A 60GB hard drive was discovered containing employee information such as health data, family disputes, holiday memories, etc.
These sensitive data were collected by company managers through informal chats and gossip and were used during work performance evaluations and making employment decisions. The issue became public when a technical glitch made data on the network drive accessible to everyone in the company for some time.
Referring to Article 5 and Article 6 of GDPR, the company was fined $41 million, on account of insufficient legal basis for data processing.
Italian Telecom, TIM
Garante, the Italian Data Protection Authority, on January 15, 2020, issued a $31.5 million GDPR fine to Italian telecommunications operator TIM. TIM’s infractions consisted of a series of overly aggressive promotional campaigns.
The company was found making unsolicited communications and promotional calls to the customers of which it didn’t have obtained consent and were registered on the do-not-call list. Call centres relied upon by TIM were commissioned to make millions of cold calls. Some numbers registered under their database were contacted over 150 times a month.
For unlawful data processing, non-compliant aggressive marketing strategy, improper management of consent, excessive data retention, the Garante identified breach of Principles relating to the processing of personal data Article 5; Lawfulness of processing Article 6; Right to erasure Article 17; Right to object Article 21; Security of processing Article 32 of GDPR.
The international airline suffered a data breach in which more than 400,000 of the airline’s customers were affected. Breach involved its traffic being diverted to a fraudulent site where cybercriminals, in stealth, were collecting all sorts of consumers’ sensitive information, including login details, names, addresses, banking details, etc.
British Airways informed the ICO of the breach in September 2018, but the breach supposedly had started somewhere around June 2018.
The UK ICO initially proposed penalising British Airways and its parent company International Airlines Group (IAG) a sum of $263 million, but later on, when the company reported that 185,000 additional consumers who made bookings between April and July may have also been compromised, the ICO, citing “the economic impact of Covid-19” finally settled on fining $26 million.
Quoting Article 5 (1) f) and Article 32, the ICO imposed a fine of $26 million for insufficient technical and organisational measures to ensure information security.
Marriott International Inc.
The international hotel chain suffered a cybersecurity breach in late 2018, which involved infringement of its reservation database dating all the way back to 2014. This breach exposed sensitive personal data of more than 339 million hotel guests; personal data being payment details, passport numbers, dates of birth, etc. The breach originally occurred in September 2018, but was not made public until November 2018.
The ICO claimed that Marriott failed to do its due diligence of cybersecurity, did not take enough steps to secure its systems and failed to promptly notify its customers about their compromised state of data. As a result, the ICO held the hotel chain for a lower-tier fine of $137 million, which eventually dropped to a settlement of $23.8 million.
The ICO penalised International for inefficient technical and organisational measures to ensure information security, referring to Article 32 of GDPR.
Österreichische Post (Austrian Post), a national postal service provider of Austria, was caught collecting and selling customer information. The company was profiling approximately three million Austrians for the purpose of selling to political parties and various other marketing companies.
Profiling was done based on customers’ age, address and political orientation. Referring to Article 5 (1) a) and Article 6 of GDPR, the Austrian Data Protection Authority (Austrian DPA) issued a higher-tier fine of $20 million, citing insufficient legal basis for data processing.
Enforcement numbers are as per https://www.enforcementtracker.com/
Facebook’s violation of EU GDPR
Facebook, the largest social media platform in the world, has embroiled itself into many controversies over the misuse and abuse of user data and its personal information. It has been slapped with many legal cases across the globe.
Strategic Communication Laboratories, UK was an advertising firm that specialises in behavioural research and strategic communications. In 2013, Cambridge Analytica was launched as a subsidiary of SCL, UK. Cambridge Analytica specialized into data mining and data analysis on the target audience. Based on its results, the communication will then be designed and will be specifically targeted to key audience group to modify their behaviour for a pre-determined outcome in accordance with the goal of SCL client. CA described itself as “Global Election Management Company”.
It is alleged that Cambridge Analytica harvested 87 million users profile and data without the explicit consent of users from Facebook in order to influence the US Elections in 2016.
During the investigation the ICO, UK found that Facebook breached data protection laws by failing to keep users personal information secure allowing Cambridge Analytica to harvest the data off up to 87 million people without their consent. The now defunct firm worked for the Trump Presidential campaign in 2016 and use the data to influence the USA Presidential Elections in 2016.
The fine was originally issued in October 2018 as part of the UK, ICOs investigation into the use of social media data for political purposes. Facebook agreed to pay the fine after more than a year of litigation and back and forth appeals between the regulator and the tech giant.
The fine was levied under the UK, Data Protection Act 1998 which cap the maximum possible penalty the UK, ICO could impose because Cambridge Analytica harvested the data in 2015, the ICO says it couldn’t impose a steeper punishment under new. Under the new data protection laws the UK passed in 2018 Facebook would face a maximum fine of USD $ 22 million for the same offence.
“Cambridge Analytica’s data protection violation occurred in 2015, for which Facebook, on October 31, 2019, finally agreed to pay a fine to the UK ICO. Facebook was only fined a paltry $690,000 since the maximum possible fine the ICO could levy, before the GDPR coming into force, was £500,000. Had the breach occurred after the inception of GDPR, the potential fine levied upon Facebook could have gone through the roof–up to 4% of Facebook’s annual turnover.”
The United States and the European Union are the world’s largest net exporters of digitally enabled services. The business volume is close to USD $ 700 billion annually. The international data transfer between the USA and the EU results in huge digital services business.
Since 2016, the EU-US Privacy Shield has facilitated these data transfers by establishing data privacy safeguards and protection for EU data subjects.
Right after GDPR came into force on 25th May 2018, Max Schrems, an Austrian information privacy activist, lawyer who is known for his campaigns against Google and Facebook for its privacy violations of European Union laws, including violations of GDPR, filed suit under GDPR in Ireland against Facebook for persuading its users to accept data collection policies. Facebook has its European Headquarters located in Ireland. The data transfer agreement between Facebook, USA and Facebook, Ireland was put into question.
Max Shrems called for the Irish DP Commissioner to nullify the European Commission’s Standard Contract Clauses (SCC) pertaining to Facebook’s use of transferring its EU users’ personal data to the United States.
Before the Court of Justice of the European Union (CJEU), Schrems raised a point to invalidate the Privacy Shield agreement since the US surveillance laws like FISA Act(Foreign Intelligence Surveillance Act, USA) do not accord EU data subjects adequate levels of protection under the European Union’s Charter of Fundamental Rights (Charter of Fundamental Rights (citizensinformation.ie) and EU GDPR (European Commission, official website (europa.eu). It meant that this personal data being sent overseas to the US could be interfered with by the intelligence services of the United States, therefore, breaching his fundamental rights under GDPR.
Specifically, the Court found that the section 702 of the Foreign Intelligence Surveillance Act and the Executive Order 12,333 are overly broad based and lack sufficient redressal mechanism for EU data subjects.
In July 2020, the CJEU passed its verdict that EU-US Privacy Shield, a mechanism for transferring EU users’ data to the US, should be entirely invalidated. In addition, it upheld the SCC but constrained its uses to particular cases only. Known as the “Schrems II” decision, the judgement of the CJEU ultimately restricted companies like Facebook’s modes of sending European citizen’s PII to the US.
However, on June 4, 2021, European Commission has adopted new tools for safe exchanges of transborder personal data. It has adopted two sets of Standard Contractual Clauses (SCC) :
- Between the controller and processor
- The transfer of personal data to third countries.
They reflect new requirements under GDPR and take into account Schrems II judgement of the Court of European Justice (CJEU) which ensures high level of data protection for citizens. The main update is in the new SCC is that it’s in line with the GDPR.
This new SCC will offer more legal and regulatory compliance to European businesses. It will ensure compliance with requirements of safe data transfers, while allowing data to move freely across borders, without legal borders.
Kindly read more on this at EUR-Lex – 32021D0914 – EN – EUR-Lex (europa.eu).
When EU GDPR came into force on May 25th, 2018, nobody thought of it to stay long in business as its implementation and compliance was too harsh for the then market to handle. But with time, its emphasis on protecting the personal information of the data subjects and its non-compliance leading to penalties worth millions has made GDPR as a law that is being respected across the globe. Many countries have started following on the footsteps of GDPR and are launching their own Data Privacy laws in their respective country.
Regulators don’t see the company big or small. If you run a business that in any possible way deals with the personal data of EU residents, it’s crucial for you to understand the ways GDPR can impact your business.
We at Data Secure(www.datasecure.ind.in) can help you to understand EU GDPR and its ramifications and design a solution to meet compliance and the regulatory framework of EU GDPR and avoid potentially costly fines.
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at email@example.com.
For downloading the various Global Privacy Laws kindly visit the Resources page in DATA SECURE – Privacy Automation Solution