GDPR fines make non-compliance a costly mistake. Learn the GDPR’s logic for imposing the fines and take note of the largest GDPR fines to date.
The implementation of the General Data Protection Regulation (GDPR) throughout the European Union on May 25, 2018, marked a significant milestone in data privacy and security. For five years since its implementation, GDPR has been shaping data privacy and protection practices worldwide while the regulatory bodies diligently monitor GDPR compliance.
Although organizations are striving to comply with tough GDPR requirements, several high-profile cases of GDPR violations have emerged. For instance, the largest GDPR fine to date is $1,28 billion for the insufficient legal basis for transferring Europeans’ personal data to the United States.
Investigating the cases of GDPR violation is equally important as learning its compliance requirements. So, let’s explore the GDPR’s logic for imposing fines and take note of the largest GDPR fines to date to stay alert.
On the eve of the fifth anniversary of the GDPR enforcement, Meta Platforms Ireland Ltd. faced a $1,28 billion fine for the insufficient legal basis for data processing. In May, 2023, the Irish Data Protection Commission (DPC) announced Meta Ireland transferred the personal data of European Facebook users to the United States without sufficiently protecting it. Namely, Meta shuttled troves of personal data of European Facebook users to the U.S. without sufficiently protecting them from Washington’s data surveillance practices. To move data to the US, Meta Ireleand used Standard Contractual Clauses (SCCs) – a commonly used tool for data transferring. Meta, however, failed to address the risks to the fundamental rights and freedoms of data subjects in the adapted SCCs.
It is notable that Meta Ireland was already fined $265 million in November of 2022. The fine was imposed for insufficient technical and organizational measures to ensure information security. The current fine is much more demonstrative as it shows the scale of GDPR enforcement.
In July 2021, Amazon Europe was fined $886,6 million for non-compliance with general data protection principles. The penalty was imposed following a complaint made by 10,000 individuals submitted through a French privacy rights organization protecting freedoms in the digital realm. In response to the complaint, the Luxemburg NDP initiated an inquiry into Amazon’s handling of customers’ personal data. The investigation revealed violations related to the inappropriate utilization of advertising targeting systems. Amazon used targeting without obtaining customers’ consent. To ensure valid consent under GDPR, a company must use clear and straightforward language to explain to consumers what data is collected, for what purpose, and who will have access to it.
Amazon has expressed strong disagreement with the decision, as they believe it lacks a valid basis. They assert that there has been no data breach or disclosure to any external parties. However, Amazon’s assertions were rejected because GDPR not only emphasizes data security but also focuses on the privacy aspects of data. Therefore, the way how companies utilize personal data, the transparency of their practices, and the lawfulness of data processing are critical aspects of business activities under GDPR.
WhatsApp Ireland Ltd. was fined $266 million for Insufficient fulfillment of information obligations in February 2021. According to the Irish DPC, WhatsApp failed to provide information on how data is collected “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. In other words, WhatsApp did not properly inform users where data was stored, the purposes why it was collected, and where the data goes.
GDPR fines are designed to make non-compliance a costly mistake for businesses. As GDPR can apply to all types of businesses, from multinationals down to small businesses, the fines imposed by the regulation are flexible and scalable as well.
GDPR clearly outlines that certain violations are considered less severe than others. These infringements may lead to fines of up to €10 million or 2% of the organization’s global annual revenue, whichever is higher. These violations pertain to the following articles that govern the activities of:
The GDPR distinguishes more severe infringements that go against the fundamental principles of privacy rights. Such violations may lead to fines of up to €20 million or 4% of the organization’s global annual revenue, whichever is higher. These serious infringements encompass the following:
GDPR has significantly impacted data privacy and protection practices over the past five years since its implementation. As regulatory bodies closely monitor GDPR compliance, several high-profile cases have exposed gaps in organizations’ data management practices. The GDPR fines are designed to make non-compliance a costly mistake, with flexible and scalable penalties that are based on the severity of violations and the organization’s revenues.
Discover more exciting topics with our blog, and feel free to contact the Planet 9 team if you have any questions. We’ll be happy to assist!