Despite the fact that the General Data Protection Regulation (GDPR) became enforceable over four years ago (and was adopted more than six years ago), many organizations are still making major blunders – including some of the biggest businesses worldwide.
We've researched some of the biggest GDPR fines in 2022 (so far) to highlight what can go wrong. There's a lot for businesses of all sizes to learn from these examples.
1: Google Ireland
Google Ireland received an enormous €150m fine (€90m for Google LLC and €60m for Google Ireland Ltd specifically) on the last day of 2021. The CNIL – the French data protection authority – received complaints about using cookies on Google.fr and YouTube, so the CNIL dug into the issue and found that, while it was easy to accept cookies on these websites, it wasn't as easy to refuse them.
This was considered an infringement of Article 82 of the French Data Protection Act, affecting the freedom of consent of internet users. However, the fine is technically a GDPR one since it's the regulation that determines how web operators acquire consent.
As with the Google Ireland case, Facebook was another organization that failed to provide a clear cookies opt-out, causing the CNIL to hit the social media giant with a €60m fine. The authority highlighted the fact that the language Facebook used in its cookies options was unnecessarily unclear, except when it came to the choice to accept cookies.
3: Enel Energia
Enel Energia received a €26.5m fine in January for its "aggressive" telemarketing practices, which included multiple GDPR violations. Garante, the Italian data protection authority, reported complaints ranging from the receipt of unsolicited promotional phone calls, lack of facilitation regarding data subjects' rights, and multiple other issues related to how the company processed personal data.
Alongside its violations against customers, Garante noted that Enel Energia breached Articles 30 and 31 of GDPR by not cooperating during the investigation, worsening the fine.
4: Clearview AI
Garante also handed a €20m fine to Clearview AI this year in response to various GDPR breaches. They were mostly linked to Clearview's facial recognition products, with issues such as illegal processing of biometric and geolocation data being highlighted and fundamental principles of the GDPR being ignored, such as transparency and storage limitation.
Clearview also failed to communicate with Garante, putting the organization in breach of additional GDPR articles.
5: Cosmote Mobile Telecommunications
After multiple breaches, the Hellenic Data Protection Authority fined Cosmote Mobile €6m in February – with its parent company, OTE group, being fined an additional €3.25m. These include a 2020 hack that exposed customer data, illegal processing of customer data, and a lack of data anonymity that allowed hackers to identify individual people. OTE's lack of involvement from the beginning of the investigation prompted the additional fine.
6: Vodafone España
Spain's data protection Authority – the AEPD – fined Vodafone €3.94 earlier this year. Nine customers had complained to the AEPD after their sim cards were fraudulently replicated, enabling the fraudsters to carry out bank transfers and other banking services.
Vodafone was fined because its security was lax enough for this to happen, and it was also noted that the organization displayed a "lack of accountability," blaming human error.
7: Dutch Tax and Customs Administration
A €3.7m fine was handed to the Dutch Tax and Customs Administration in April this year, after several years of illegally processing personal data in the Fraud Signaling Facility (the blacklist where the Administration keeps records of fraud). It was found that the Administration had added around 270,000 individuals to this blacklist, negatively affecting those people.
GDPR violations included serious issues with discrimination, as Administration employees were told to add people to the list based on nationality and appearance. The fine is the largest ever handed out by the Dutch Data Protection Authority.
8: Amazon Road Transport
In February, the AEPD fined Amazon Road Transport €2m for violating Articles 6 and 10 of GDPR due to its failure to implement the correct collection and processing procedures for personal data, specifically regarding criminal conviction information.
Amazon Road Transport had been requesting "negative certificates" – i.e., certificates proving the absence of a criminal record – from self-employed contractors and asking for consent from candidates to share that data with other companies.
The AEPD rejected the company's claims about how it was processing these negative certificates and refused to accept Amazon Road Transport's interpretation of Article 10 of the GDPR.
The common thread here is a lack of transparency regarding cookies and general data privacy – things that should be second nature to any organization. If you learn anything from this list, it's to know your regulations and not hide things from your customers. It's important to understand how GDPR protects customer data and the steps you need to take to remain compliant.