GDPR fines: enforcement practice of the European supervisory authorities
With the GDPR entering into force, not only have data protection standards been raised EU-wide, but supervisory authorities have also been empowered to impose hefty fines to enforce these standards. The possibility of calculating fines against companies on the basis of a percentage of their annual turnover gave large companies an indication that a lack of GDPR compliance could have far-reaching consequences even for them. While the supervisory authorities initially held back in exercising their power, they have been starting to abandon their restraint. Across the EU, the number of fines imposed has risen, up to sums of more than 100 million Euros.
Legal bases for the imposition of fines are Arts. 58 (2)(i) and 83 GDPR, which empower the supervisory authorities to impose fines and establish criteria for their assessment. Art. 83 GDPR provides that fines should be proportionate, but also dissuasive. The explicit aim of the provisions on fines is to ensure consistent enforcement of the GDPR in order to make it more effective (recitals 148, 150). Prerequisite for the imposition of fines is a violation of the obligations stipulated in the GDPR, whereby different finer ranges apply depending on the type of violation. However, there is hardly any obligation laid down by the GDPR where non-compliance cannot be sanctioned with a fine.
In Germany, two GDPR fines have attracted public attention due to their high amount: A fine of €14.5 million was imposed on the real estate company “Deutsche Wohnen SE” in October 2019. A fine of €9.55 million for the telecommunications provider “1&1” followed in December of the same year. In the case of “1&1”, the supervisory authority still considered the fine imposed to be lenient and declared that it had imposed a fine in the lower part of the possible fine range due to the company’s willingness to cooperate.
These two prominent fines were linked to different GDPR violations. The main reason for the fine imposed on “Deutsche Wohnen” was failure to comply with the GDPR requirements regarding ‘privacy by design’ principles and retention periods. The company used an archiving system which did not provide for the possibility to remove data that was no longer required. In various cases, personal data, some of which was years old, could be accessed without this data still serving the purpose of its original collection.
The reason for the fine imposed on “1&1”, on the other hand, was the lack of sufficient technical and organisational measures to ensure information security. After simply providing a customer’s name and date of birth, the company’s customer service department had provided callers with extensive information about customers.
While these two major fines relate to different GDPR infringements, a closer look at the third and fourth highest fines imposed so far (€294.000 on an unknown company, €195.000 on Delivery Hero) shows that issues relating to data retention seem to be a particular focus for German supervisory authorities. Both of these penalties related, inter alia, to storage and retention or non-deletion of personal data. Delivery Hero failed to delete accounts of former customers who had not been active on the company’s delivery service platform for years whilst the unknown addressee of the €294.000 fine was accused of unnecessarily long retention of personnel files.
So far, the UK ICO, while known for being a pragmatic regulator, has made the greatest use of the power to impose fines conferred by the GDPR – it is the only supervisory authority to have issued fines in the three-digit million range. Within two days, on 8 and 9 July 2019, it became public that it intended to impose GDPR fines of £183.39 million on British Airways and £99.2 million on Marriott International. Although these fines have not yet been finalised but will be issued when the companies and supervisory authorities of other member states have provided their input (expected to be on 18 May and 19 June respectively), the ICO has made it clear that it is willing to make full use of the fine scale provided by the GDPR.
Following these two substantial fines, the ICO published a third GDPR fine in December 2019, which appears comparatively mild: a pharmacy (Doorstep Dispensaree Ltd.) was fined £275.000.
The reason for the British Airways fine was a cyber incident that the company itself had notified to the ICO in September 2018. In this incident, user traffic on the British Airways website was partially redirected to a fraudulent website. This website was used by the attackers to harvest customer personal and card data. The incident compromised the personal data of approximately 500,000 customers. The result of the ICO investigation was that a large amount of information was compromised because of poor security measures. The ICO has not published details of what exactly it considered “poor security measures” but it has apparently considered the deficiencies to be so substantial that they justify a £183.39 million fine.
The statement on the Marriott International fine reveals similarities to the British Airways case. Once again, a cyber incident notified by the company itself was the trigger: a variety of personal data contained in approximately 339 million guest records globally were exposed, of which around 30 million related to residents of EEA countries. It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
In the case of Doorstep Dispensaree, the lack of data security was even more apparent: the company had stored about 500,000 documents containing personal data in unsealed containers and failed to physically protect these documents, resulting in the documents being damaged by water. While this fine is much lower than the intended fines for British Airways and Marriott, there was no indication of unauthorised access to the personal data, and the ICO takes into account the financial position of the data controller in determining the quantum of any fine.
Rest of Europe
In the rest of Europe, three fines stood out due to their size.
In January 2019, the French authority CNIL fined Google €50 million for alleged privacy violations in the context of setting up a Google account when configuring a mobile phone with the Android operating system. CNIL criticised a lack of transparency, inadequate information and lack of valid consent regarding the ads personalization. It specified that the obtained consent declarations had not been “specific” and “unambiguous” as required by Art. 4 (11) GDPR.
In January 2020, the Italian supervisory authority fined TIM (a telecommunications operator) with €27.8 million. Again, several reasons led to this decision, particularly a lack of consent for marketing activities (telemarketing and cold calling), addressing of data subjects who asked not to be contacted with marketing offers, invalid consent declarations collected in TIM apps, lack of appropriate security measures to protect personal data and lack of clear data retention periods.
Another high fine was imposed on the Austrian Post in October 2019. It was charged with €18 million for creating profiles of more than three million Austrians, containing information about their home addresses, personal preferences, habits and possible party affinities – which were then sold on, for example, to political parties and companies.
The various European regulators have different priorities when it comes to fining GDPR non-compliance, and basically any non-compliance with privacy requirements can lead to significant fines. Still, a certain emphasis was put on non-compliance with retention and security requirements as well as a lack of a decent legal basis for the data processing conducted by the companies. While we will see high fines for non-compliance with other areas of the GDPR in near future, fines relating to legal bases, security and retention requirements will also keep on coming.