The GDPR came into force on 25 May 2018.  These fines can be up to €10 million or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year whichever is the higher.

In the past 12 months a number of very substantial fines have been imposed.  The 5 biggest fines of 2020 were as follows:

  1. Google’s €50,000,000 fine from the French data protection commission

Issued for the lack of transparency as to how data was harvested, particularly for the purposes of ads personalization. It was found that user’s consent was not sufficiently informed or “specific” and “unambiguous”. Thus, user consent was not obtained validly.

The CNIL commented as follows: “This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.

  1. H&M’s €35,200,000 fine from the BfDI

A technical error caused H&M’s data from its network drive to become accessible to everyone in the company. The company had also collected sensitive personal data for its employees, creating employee profiles later used in the promotions process. Extensive records of families, religions and illnesses were recorded by the retailer.

This is a case that showed a gross disregard”, HmbBfDI head Johannes Caspar said. Adding the large fine was “justified and should help to scare off companies from violating people’s privacy“.

  1. TIM’s €27,800,00 fine from Italian DPA Garante

A fine following scrutiny of the telecommunications operators invasive marketing strategy, which impacted several million people. The investigation came following hundreds of reports of unwarranted telephone calls to customers. The use of personal data from applications was also used without sufficiently clear consent acquisition methods.

In addition to the sanction, the Authority imposed 20 corrective measures on Tim, including prohibitions and prescriptions. In particular, it prohibited Tim from using the data for marketing purposes of those who had expressed to call centers their refusal to receive promotional phone calls, of the subjects on the black list and of the “non-customers” who had not given consent.

  1. British Airways £22,000,000 fine from the English ICO

A hacker accessed the British Airways website and was able to divert traffic from the site to their own, compromising the personal data of over 400,000 customers. Personal and financial details were also leaked during the 2018 cyber-attack.

The resulting fine from the ICO was reduced by a multiple of ten given British Airways submissions to them.

Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

  1. Marriot International £18,400,000 fine from the English ICO

339,000,000 customer guest records were rendered vulnerable as the result of a cyber attack.   A range of wide categories of data were compromised ranging from names, email    addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership numbers. It was estimated that over 7 million UK people’s guest records were rendered vulnerable by the attack.

Information Commissioner Elizabeth Denham said:

Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.

Suneet Sharma is a junior legal professional with a particular interest and experience in media, information and privacy law.  He is the editor of The Privacy Perspective blog.