When it launched, Europe’s General Data Protection Regulation (GDPR) became bigger than Beyoncé. Since then some of the hype around the data law has waned, but there’s still one thing that gets people excited: fines.
Under the law, data protection regulators across Europe have boosted powers to punish companies and organisations who are found in breach of GDPR. The most serious consequences can be fines of up to €20 million (£17m) or four per cent of a firm’s global turnover (whichever is greater). These are larger than the £500,00 penalties that could be issued by the UK’s regulator, the Information Commissioner’s Office, under the old data protection rules.
Before GDPR was enforced there were outlandish predictions that businesses would be hit with huge fines for data protection issues. Some estimates claimed GDPR fines would be 79 times higher than those under previous rules; others said banks would be hit with fines of up to €4.7bn (£4.06bn) in the coming years.
Unsurprisingly there hasn’t been a huge deluge of fines running into millions or billions of euros, but the EU’s 28 data protection regulators are slowly beginning to flex their enforcement muscles – including against big tech companies.
After the first year of GDPR, the European Data Protection Board reported ((PDF) that nations had examined 206,326 cases under the law. Helen Dixon, the Irish Data Protection Regulator who has jurisdiction over US tech companies because of their European headquarters in Ireland, has investigations open into at least 17 multinational firms. These include Facebook and its subsidiaries WhatsApp and Instagram, plus Google and Twitter.
Regulators have already moved against big tech companies and others who have failed to properly protect consumer data. Here’s what we know about the GDPR fines that have been issued around Europe so far and why they’ve been handed out.
Google’s pre-ticked boxes
On the day GDPR came into force across Europe (May 25, 2018) the French data protection regulator received a complaint about Google. Three days later another arrived at the door of the National Data Protection Commission (CNIL) and at the start of 2019, CNIL hit Google with a €50m (£43m) fine.
CNIL said the penalty was for a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation”. In a summary of its decision, CNIL broke the fine down into two areas: not providing enough information about how Google uses information provided to it from across 20 different services and not correctly gaining consent for processing user data.
The regulator’s full decision (PDF) says when setting up a Google account there was only one option of accepting all processing of personal data, not a breakdown of all the types of information that would be handled. It also added there were pre-ticked boxes within Google’s options, which are not allowed under GDPR.
CNIL said: “The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”
Bulgaria’s DSK Bank leak
Bulgarian financial group DSK Bank was hit with a one million levs (£440,000) fine by the country’s Commission for Personal Data Protection at the end of August 2019 after names, addresses, copies of ID cards and bank account numbers of more than 30,000 people were disclosed accidentally.
There were also details of 23,000 loans that were also disclosed, with the country’s the data protection regulator saying there were details of “an unlimited number of related third parties'” within the disclosure. Few details about how the data breach happened have been revealed but a report from Reuters said the bank had previously been contacted by a “Bulgarian former convict” who had a database of customer details.
The nation’s data protection regulator concluded the bank hadn’t implemented the “appropriate technical and organisational measures” to guarantee the “confidentiality, security, integrity, availability and sustainability of the systems and servers” where personal information was stored.
La Liga’s spying app
GDPR’s weirdest fine so far. Spanish data protection agency, AEPD, fined the country’s top football division, La Liga, €250,000 (£215,000) for spying on people who had downloaded its app. The creators of the app promised it would offer real-time game updates and scores, however it was also using the microphone and GPS location of phones to listen to what was going on around fans.
The point of the snooping? The app was collecting location and sound data to try and identify locations that were illegally streaming game footage without the correct licence. The app had been downloaded more than ten million times.
The league was punished for not properly telling users about the data being collected and how often it was doing so (up to once per minute during matches). The Spanish football organisation disagreed with the fine and said the penalty was “unfounded and disproportionate”.
British Airways’ breached website
When is a GDPR fine not a GDPR fine? When’s it’s a notice of intent. The UK’s regulator, the Information Commissioner’s Office (ICO), has plans to fine British Airways £183m for a security lapse in its app and website during June 2018. At this stage, the fine on the airline hasn’t been issued but will be finalised when the airline has responded to the ICO’s findings.
What is certain is BA’s data breach. Fraudulent code inserted into the airline’s systems directed customers to a false site where the details of 500,000 people were compromised. GDPR’s security principle says that appropriate technical and organisational measures should be taken to protect user data.
Usernames and passwords, credit card details and important information required for travelling on flights, including names and addresses, were all taken in the data grab. The hack was believed to have been caused by 22 lines of code inserted by the Magecart hacking group.
Marriott’s inadequate due diligence
One day after the proposed British Airways fine, the ICO issued another notice of intent. This time it was against Marriott hotels. The proposed payment? £99,200,396.
In Marriott’s case, 339 million guest records from around the world were exposed. “It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014,” the ICO said when it issued its notice of intent. Marriott purchased Starwood in 2016 but the leaked data wasn’t found until 2018. The ICO said Marriott failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems. Like in the British Airways case, a final fine amount is still pending.
More great stories from WIRED
? Say hello to the huge climate problem no one is talking about
?️ Inside the sinking megacity that can’t be saved
? Meet the economist with a brilliant plan to fix capitalism
? Long Read: Inside Google Stadia
? Expand your mind with the WIRED guide to the best podcasts