It has been three years since the European Data Privacy and Security Act was introduced on May 25, 2018.
The GDPR regulates how organizations operating in the EU use, process and store consumer personal data.
Initially, SMEs and start-ups were afraid that they did not have enough resources to fully comply with the rules.
Other critics have suggested that the law is overly dependent on consumers who know and understand their rights.
Since its launch, information commissioners across Europe have fined hundreds of millions of euros.
Crimes include retailers who misrepresent how they use CCTV cameras to monitor their employees and companies that do not comply with the “right to be forgotten” law.
The law has replaced the old data protection law and was drafted in Europe, but regulators can fine organizations around the world that target and collect data in the EU.
There are two stages to the penalty, up to € 20 million (£ 17.29 million) or 4% of global revenue.
The money collected will be used to fund public services. The largest fines recorded so far are:
1. Google (Euro 50 million / £ 43.2 million)
Google was one of the first companies Suffering from considerable GDPR fines 50 million euros in 2019.
A fine was imposed after French regulators ruled that the company failed to make consumer data processing statements easily accessible to users.
The tech giant was also convicted of not seeking user consent to use the data for targeted advertising campaigns.
Google has appealed, but the French High Court upheld the fine last June.
2. H & M (Euro 35.3 million / £ 32.1 million)
H & M Fined by German regulators in 2020 After it turns out that he was secretly monitoring hundreds of employees.
If workers took leave or sick leave, they had to attend a meeting with senior retail giant staff on their return.
These meetings were recorded and made accessible to H & M managers without the knowledge of staff.
The data collected from the interviews was used to create a “detailed profile” of the workers, which influenced their employment decisions.
3. Tim-Telecom Italia (27.8 million euros / 24 million pounds)
In early 2020, Italian data protection authorities fined the telecommunications company Tim, formerly known as Telecom Italia, a huge fine of € 27.8 million.
A fine was imposed after numerous complaints about unnecessary promotional calls. Regulator Galante, Said he received hundreds of complaints From January 2017 to early 2019.
Customers are receiving nuisance calls without their consent, even if they add their phone numbers to Italy’s “Call Ban” list or explicitly tell the caller to revoke their consent to such a call. That is. One was reportedly called 155 times a month.
The breach was some serious, and regulators found it issued heavy fines and 20 “corrective actions” to the company.
4. British Airways (£ 20m)
British Airways A fine was imposed in 2020 after a user of that website was directed to a fraudulent site..
The data breach allowed hackers to collect personal data about about 400,000 people.
The leaked data included login and travel booking details, name, address, and credit card information.
Initially, the Information Commissioner’s Office (ICO) He said he would impose a fine of BA £ 183.4m -This was the biggest fine issued under the GDPR.
However, more than a year later, the fines were dramatically reduced, considering the “economic impact of Covid-19.”
It was the highest fine issued by an ICO that turned out to be the result of British Airways’ negligence.
BA notified the customer as soon as he noticed the problem, cooperated fully with the investigation, and said, “We have significantly improved the security of the system since the attack.”
5. Marriott International Hotel (£ 18.4 million)
British Hotel Chain Marriott International Fined in 2020 for hacking dating back to 2014However, it was not discovered until four years later.
The hack revealed the personal information of about 300 million customers, including credit card information, passport numbers, and dates of birth. 7 million of those guest records related to the British people.
Similar to the British Airways fine, the ICO initially said it would impose a much higher fine of £ 99m, but later reduced the amount.
Where are the GDPR money going?
In the UK, all fines distributed by the ICO are paid to the central government fund belonging to the Ministry of Finance.
The Integrated Fund is a general bank account of the Bank of England government.
Founded in 1787, it aims to be “a fund that draws in all the flow of public income and provides all services from it.”
This means that GDPR fines will be used to fund public services, as well as tax revenues.
The majority of other EU countries use a similar structure.
Rob Elliss of tech firm Thales says the GDPR faces even more challenges in the post-Covid world, despite successful payments of large fines so far.
“When the GDPR was first drafted, the law didn’t necessarily take into account the adoption of new technologies and the rapid transition to the cloud brought about by the pandemic,” he said.
“In this era of telecommuting, businesses needed to digitally convert almost overnight to keep lights on, without necessarily incorporating security into the design of new systems and processes.”
Correction May 25, 2021: Earlier versions of this story include some old information about the fines imposed on British Airways and Marriott International Hotels, and Amazon listing the top five fines. Wrong was included. However, although Amazon was not fined in connection with the GDPR, it updated these numbers and replaced Amazon in the list with Tim under the French individual electronic privacy directive.