Privaci Learning

View Original

The Biggest GDPR fines and penalties of 2020/2021

Rita Mutyaba

Under the General Data Protection Regulation (GDPR), there are two levels of fines that European Union Data Protection Authorities (DPA) impose on organizations that violate the GDPR. Since the enactment of the GDPR, DPAs have issued hundreds of millions of euros worth of fines to global companies. 

The less severe infringements result in a fine of up to 2% of a company's global annual revenue or 10 million euros. Organizations are issued this fine if the organization violates GDPR articles related to:

  • Controllers and processors (Articles 8, 11, 25-39, 42, and 43)

  • Certification bodies (Articles 42 and 43) 

  • Monitoring bodies (Article 41)

The more severe infringements result in a maximum fine of up to 4% of an organization’s global annual revenue or 20 million euros. Organizations are issued this fine if the organization violates GDPR articles related to:

  • The basic principles for processing (Articles 5, 6 and 9) 

  • The conditions for consent (Article 7)

  •  The data subjects’ rights (Articles 12-22) 

  • The transfer of data to an international organization or a recipient in a third country (Articles 44-49)

In 2020, H&M was fined 35.3 million euros by German regulators as a result of the company secretly surveilling its employees. The second-largest fine was given to Telecom Italia after the Italian DPA received hundreds of complaints concerning unsolicited promotional calls. Telecom was fined a total of 27.8 million euros.  

In June 2021, the Commission Nationale pour la Protection des Données (“CNPD”) conducted an investigation into Amazon’s collection and use of personal data. The investigation was based on a complaint submitted by a French privacy advocacy group, La Quadrature du Net (LQDN). LQDN claimed that Amazon was using non-consenting targeted ad systems that violated the GDPR.

The CNPD initially suggested that a  $425 million fine should be issued to Amazon. However, in July 2021, the CNPD instead issued the largest GDPR fine on record — a $838 million fine (746 million euros ). Amazon indicated that it would appeal the fine.

Given the increasing relevance and concerns regarding data privacy, we can expect to see stricter enforcement of the GDPR and more fines.