Google. Marriott. British Airways. H&M. The list of companies hit with large General Data Protection Regulation (GDPR) fines is growing increasingly long. But what are they getting fined for? And how could they have prevented the imposition of such massive GDPR penalties?
Continue reading below to learn about who’s paying the biggest GDPR fines, why, and how they could have been avoided.
The Largest GDPR Fines from 2018-2021
The table below sets out the GDPR fines imposed since the General Data Protection Regulation’s inception in 2018. But the numbers don’t tell the whole story. The fines referred to in the table were incurred for a broad range of actions (or inaction). Many are being appealed or disputed in court. Finally, the fine totals represent wildly varying proportions of the culpable data controllers’ annual revenue.
Data Controller | Fine (in €) | Date fine imposed | GDPR Article(s) violated | Violation type | Country |
Google Inc. | 50,000,000 | 21 March 2019 | 5, 6, 13, 14 | Insufficient legal basis for data processing | France |
H&M Hennes & Mauritz Online Shop A.B. & Co. KG | 35,258,708 | 1 October 2020 | 5, 6 | Insufficient legal basis for data processing | Germany |
TIM | 27,800,000 | 15 January 2020 | 5, 6, 17, 21, 32 | Insufficient legal basis for data processing | Italy |
British Airways | 22,046,000 | 16 October 2020 | 5, 32 | Insufficient technical and organizational measures to ensure information security | United Kingdom |
Marriott International, Inc. | 20,450,000 | 30 October 2020 | 32 | Insufficient technical and organizational measures to ensure information security | United Kingdom |
Wind Tre S.p.A. | 16,700,000 | 13 July 2020 | 5, 6, 12, 24, 25 | Insufficient legal basis for data processing | Italy |
Vodafone Italia S.p.A. | 12,251,601 | 12 November 2020 | 5, 6, 7, 15, 16, 21, 24, 25, 32, 33 | Non-compliance with general data processing principles | Italy |
notebooksbilliger.de | 10,400,000 | 8 January 2021 | 5, 6 | Insufficient legal basis for data processing | Germany |
Eni Gas e Luce | 8,500,000 | 11 December 2019 | 5, 6, 17, 21 | Insufficient legal basis for data processing | Italy |
Caixabank S.A. | 6,000,000 | 13 January 2021 | 6, 13, 14 | Insufficient legal basis for data processing | Spain |
Data from Enforcement Tracker. |
Details of the Top 3 GDPR Fines
The largest fines ever imposed by GDPR administrative authorities include a complex case involving Google and two particularly egregious instances of disregard for the privacy of data subjects and employees in the cases of Tim S.p.A. and H&M, respectively.
Google’s Failure to Obtain Affirmative Consent
Google was originally fined 50 million Euro by the French Data Protection Authority (CNIL) for deficiencies in its Privacy Policy that led to breaches of the requirements for transparency and lawful processing under the GDPR.
Essentially, Google’s Privacy Policies required data subjects to take up to five or six actions to determine how their data was going to be processed. Even then, the information provided was neither clear nor comprehensive.
Google appealed the imposition of the fine. In a decision announced on June 19, 2020, the Conseil D’Etat (Council of State), France’s supreme administrative court, ruled that the fine imposed on Google by CNIL on January 21, 2019, was proper and enforceable.
Google argued a number of points on appeal, including an alleged lack of jurisdiction by the French authorities because Google’s European headquarters are located in Ireland. The appellate tribunal found that Google had, in fact, failed to provide adequate information to data subjects about how their data would be processed and failed to provide an opportunity to opt-in to the processing of their data. This led to violations of Articles 5, 6, 13, and 14 of the GDPR.
Finally, the Council of State also found that the 50 million Euro fine was not excessive or disproportionate when taking into account the nature of the breach and the size of the data controller.
Lessons Learned. In more ways than one, the largest ever fine imposed under the GDPR regime illustrates the difficulties that large technology companies have, and will likely continue to have, in crafting adequately transparent and explicable policies for data collection and processing.
In this case, Google had attempted to render its privacy policies more understandable by “layering” them, providing information for different components of its data usage in different locations. Unfortunately, this required data subjects to sift through several stages of information, which CNIL found to be unreasonable.
Critics of the decision have pointed out that it’s difficult to see how a company as large and expansive as Google could possibly create a privacy policy that is both completely informative and fully understandable to a non-expert data subject. Nevertheless, GDPR remains the law of the land (at least in the EU) and organizations will need to traverse the tightrope that is the Regulation’s transparency requirement.
H&M Surveils Employees
On October 1, 2020, international clothing retailer H&M was fined over 35 million Euro for its collection of employee information that far exceeded what was allowed by the General Data Protection Regulation.
According to the Data Protection Authority of Hamburg in Germany, which levied the record-breaking fine, H&M routinely collected info about employee medical conditions and their private lives. This information was collected in extensive staff surveys and informal chats between managers and employees, and constituted a “gross disregard” of privacy rights under the GDPR.
The fine was not appealed by the data controller.
Lessons Learned. This was not a difficult case for the regulator to decide. H&M’s actions were clearly in violation of the GDPR - as well as numerous national labor laws - and the firm’s decision not to appeal highlights the seriousness of the breaches.
These “slam dunk” cases are less instructive than the more borderline decisions - like the fine against Google mentioned above - simply because the behavior on display is so clearly inappropriate. However, the H&M case serves as a prominent reminder that the requirements under the GDPR protect a company’s employees as much as their consumers.
Tim S.p.A. Violates the GDPR in Multiple Ways
The Italian Data Protection Authority levied a 27.8 million Euro fine against Tim S.p.A, a telecommunications company, after an investigation prompted by complaints of aggressive and unwanted marketing to consumers. The investigation also uncovered instances of excessive data retention and invalid data subject consents.
Finally, Tim failed to properly manage and report successive data breaches.
The large fine occured in the context of a company that breached several articles of the GDPR and was active in an industry that contained widespread problems with respect to the lawful and proper use of data. The fine was intended to act as a general deterrent to other firms that were similarly careless with the requirements found in the GDPR.
Lessons Learned. Similar in some ways to the H&M ruling discussed above, the Tim case demonstrates grossly non-compliant behavior by a firm sophisticated enough to know better. The company completely failed to take any reasonable steps to obtain consents for marketing contacts and, in the case of one data subject, contacted them over 150 times in a single month.
What is particularly interesting about this case is the suggestion that the fine imposed by the regulator was increased because the data controller was a member of an industry in which the need for general deterrence was particularly pressing. In other words, because telecommunications companies in Italy were routinely ignoring the GDPR, the Italian authorities made an example of Tim.
Companies in industries widely known for breaching the GDPR should take note of this and exercise particular caution.
An Honorable Mention: British Airways has its Fine Reduced by 90%
In 2018, British Airways fell victim to a sophisticated and far-reaching hack that left the personal data of hundreds of thousands of data subjects exposed to unidentified third parties.
The Information Commissioner’s Office (ICO) was notified of the hack by another third party and, after an investigation, announced an intention to fine British Airways 184 million pounds for failure to adequately protect its data subjects from attack. This would have made it the largest fine ever imposed by a GDPR supervisory agency.
However, after hearing representations from the data controller regarding its practices, mitigation measures put in place after the attack, and the impact of COVID-19 on its business, the ICO fined British Airways a “mere” 22 million pounds.
How are GDPR Fines Calculated?
GDPR fines usually refer to administrative fines. In addition to administrative fines, claims for compensation can be made under Article 82 of the GDPR.
Administrative Fines. There are two tiers of administrative GDPR fines. They’re simply referred to as less serious and more serious.
- Less Serious Violations. Less severe violations carry a maximum penalty of up to 10 million Euros or 2% of the data controller’s worldwide annual revenue from the previous year. Less severe violations include breaches of Articles 8, 11, 25-39, and 41-43.
- More Serious Violations. More serious violations carry a maximum penalty of 20 million Euros or 4% of the data controller’s worldwide annual revenue from the previous year. More severe violations include breaches of Articles 5, 6, 7, 9, 12-22, and 44-49. These breaches strike at the core of the GDPR’s guarantees of the right to be forgotten and the right to privacy.
Claims for Compensation. Note that the administrative fines discussed above do not include the compensation that may be ordered under Article 82 when a data subject successfully complains that a breach of the GDPR caused them material or non-material harm.
Criteria for Determining the Size of a GDPR Fine
Regardless of whether a fine is considered more or less severe, consistent criteria are used by member states when deciding on the amount of the fine to impose on a data controller responsible for a breach of the GDPR. They include:
- The Gravity and Nature of the Breach: The administrative body will consider what happened, how and why it occurred, how many people were affected and the damage they suffered, whether the issue was eventually resolved, and, if so, how long it took to resolve.
- The Intent of the Data Controller: The administrative body will consider whether the impugned actions were intentional, negligent, or merely unfortunate.
- Damage Mitigation by the Data Controller: Whether the company took any significant actions to eliminate or reduce the damage suffered by affected data subjects.
- Pre-Incident Precautionary Measures: Whether the data controller had, prior to the breach, imposed any significant precautionary measures to comply with the GDPR.
- History: The data controller’s history with respect to previous breaches of the GDPR, other data protection regulation and legislation (like the Data Protection Directive, for example), and compliance with past administrative orders relating to data protection.
- Investigative Cooperation: Whether the company cooperated with data protection investigators and administrators or took a more adversarial and protective approach.
- Category of Breached Data: The type of personal data the breach affected impacts the calculation of the fine.
- Self-Reporting: Whether the company, or one of its agents, proactively reported the breach to the supervisory authority.
- Certification: Whether the firm followed approved codes of conduct with respect to data protection or was previously certified
- Miscellaneous Aggravating or Mitigating Factors: Any other relevant conduct or inaction that renders the behavior of the data controller more or less culpable
An Additional Factor: Annual Revenue of the Offending Company
As we mentioned above, regulatory bodies can fine data controllers up to 2 to 4% of the firm’s prior-year annual revenue, depending on whether they’re guilty of a minor or major violation.
How exactly that 4% is to be calculated is currently open to interpretation. As noted on Page 5 of the DLA Piper GDPR fines and data breach survey: January 2021, there is disagreement about whether the revenue to be calculated is the global annual total of the entity being fined, or merely the specific legal entity responsible for the infringement.
The distinction is one of central importance to the enforcement function of the GDPR. If the latter interpretation holds sway, firms could theoretically limit their liability for GDPR penalties by creating isolated legal entities responsible solely for data protection and generate limited, or non-existent, revenue.
How To Avoid GDPR Fines
Avoiding the imposition of fines for GDPR breaches isn’t an exact science. The legislation is wide-ranging and contains a fair bit that is open to reasonable interpretation. That said, there are steps your firm can take to make it less likely that you will be fined and, if you are, that the fine will be on the lower end.
Take Care to Be Transparent
Much early enforcement of the GDPR has focused on the transparency requirement found in Article 5(1)(a) of the Regulations:
"Personal data shall be...processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)"
Early enforcement actions in several countries have targeted privacy notices that were alternatively too opaque (often because of excessive technical language) or too simplistic.
There is no silver bullet here. Being too specific or too vague can both land your firm in hot water. The European Union's website GDPR.eu offers significant guidance on how to draft a compliant Privacy Policy that will meet the requirements of the GDPR.
Additionally, even if the policy your company uses is ultimately determined to be deficient in some way, demonstrating that you took reasonable efforts to understand the requirements of the GDPR and attempted to comply with them could serve as a mitigating factor in the imposition of any penalty.
Ensure Your Data Processing Has a Lawful Basis
Penalized breaches of Article 6 of the General Data Protection Regulation are becoming increasingly common. That article requires a data controller to have a lawful basis for processing data that comes into its possession.
As with creating an adequate Privacy Policy, there is no one correct way to ensure your organization has a lawful basis to process its data. You’ll definitely need legal and proper consents, as well as robust data governance policies to navigate what you’re allowed to do with data and for what purposes.
Maintain Adequate Security
According to Article 32(1) of the GDPR:
"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk..."
The Regulations go on to describe a number of characteristics of adequate security measures, including “the pseudonymisation and encryption of personal data” and “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”
Recent GDPR penalties have shed some much needed light on the kinds of security measures that might be required, depending on the nature and scope of the data your organization controls. According to the DLA Piper GDPR fines and data breach survey: January 2021 mentioned above, these are some best practices to consider:
- monitoring privileged user accounts
- monitoring access to and use of databases storing personal data
- implementing “server hardening” techniques to prevent access to administrator accounts
- encryption of personal data, particularly more sensitive personal data
- use of multi-factor authentication to prevent unauthorised access to internet-facing applications
- strict access controls for applications on a needs basis, with prompt removal of access when no longer required
- regular penetration testing
- not storing passwords in plain-text unencrypted files (known as hardcoding)
- logging failed access attempts
- carrying out manual code reviews to check personal data is not being logged where it should not be
- processing payment card information in accordance with the PCI DSS Standard
Even if you implement these measures, however, remember that “appropriate” security measures will depend entirely on the partially subjective factors described in Article 32(1). The measures you take should be based on the specific data your firm holds and the risks posed by controlling and processing that data.
Frequently-asked questions
What is the penalty for GDPR violations?
The maximum fine for a severe GDPR violation is the greater of 4% of the offending company’s prior-year annual revenue or €20 million. For a more minor violation, the maximum fine is 2% of prior-year annual turnover or €10 million.
Has anyone been fined for GDPR violations?
Hundreds of organizations have been fined for GDPR violations, including Google, H&M, Marriott Hotels, and British Airways.
How are GDPR fines calculated?
GDPR fines are calculated based on aggravating and mitigating factors, as well as the amount of revenue earned by the offending company in the previous year. Considerations like the nature of the breach, the kind of data misused, and the number of people harmed are all taken into account.
What happens to GDPR fines?
Money collected from GDPR fines is returned to the national governments responsible for imposing them. Typically, they are simply directed to their respective national treasuries, but some governments have indicated they may wish to reserve a portion of the funds for litigation costs and other special expenses.
Who gets the money from GDPR fines?
The national government responsible for imposing GDPR fines ultimately receives the money. How the money is distributed after it is received by the member state is up to that nation’s legislative branch.
Who enforces GDPR fines?
Each member state that participates in the GDPR has a national agency responsible for investigating breaches of the GDPR, imposing fines, and collecting on them. In the United Kingdom, for example, that agency is the Information Commissioner’s Office (ICO).
Is revealing my email address a breach of GDPR?
Yes, revealing your email address - which qualifies as “personally identifiable information,” (PII) - to a third party without your prior consent is a breach of the General Data Protection Regulation and may entitle you to compensation in certain, limited circumstances.
Is a breach of GDPR a criminal offense?
A breach of the General Data Protection Regulation (GDPR) is not, in and of itself, a criminal offense. However, there is considerable overlap in a lot of countries between GDPR violations and national criminal offenses. In other words, if a member state’s legislature decides to criminalize a GDPR violation, it becomes a criminal offense in that country.
What is a serious breach of GDPR?
A serious breach of the GDPR is a violation of Articles 5, 6, 7, 9, 12-22, or 44-49. It is one that goes to the core of the GDPR’s right to be forgotten and right to privacy. Non-compliance with a GDPR-related order by a supervisory authority is also considered a serious breach.
Can I sue for breach of GDPR?
Yes, in some circumstances you can sue for a breach of the General Data Protection Regulation (GDPR). You will be required to show that an organization under the jurisdiction of the GDPR failed to comply with its obligations and/or allowed a breach of those regulations that caused you to suffer material or non-material harm.
Definitions of Key Parties under the GDPR
Data Controller. Defined in Article 4(7) of the GDPR. It “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
Typically, the data controller will be the entity with whom a data subject enters into a relationship. For example, when a data subject creates a Google account, Google Inc. is the data controller.
Data Processor. Defined in Article 4(8) of the GDPR. It “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
For example, cloud service providers are frequently data processors, as they process personal data on behalf of another company.
Data Subject. Defined in Article 4(1) of the GDPR. It means an “an identified or identifiable natural person.”
Further Resources
Click here for an overview of Data Protection Regulations in Europe.
Click here for an overview of what's required for a data protection impact assessment under the EU's GDPR.
Click here for an article on CCPA Compliance in a nutshell.
Click here for an overview of California's CCPA.
Legal Information
Finally, a note on how you can use this article. This article is not to be considered legal advice and is not a substitute for advice from qualified legal counsel. You may not rely on the information in this article. Material aspects of the discussions in this article may change at any time and without further notice.