1.6 billion euros in fines, but still working

When the EU introduced its general data protection regulation four years ago this week, it was called an innovative piece of legislation aimed at restoring control over citizens’ privacy rights in the face of high technology. Four years and more than € 1.6 billion in fines later, it is worth wondering what impact the remarkable regulation really has on Europe’s privacy and data protection. Experts say the true potential of the GDPR has not yet been realized and that structural problems in the way it is being implemented remain unresolved.

2018 GDPR fines: € 1.6 billion and counting

European data protection authorities have imposed combined fines of 1.6 billion euros for breaches of the GDPR since the introduction of the regulation in 2018. Almost half of this amount relates to a single payment: a fine of 740 million euros issued to Amazon by the Luxembourg office for data protection in July last year.

The fine is the result of a collective complaint filed by 10,000 people who claim that Amazon’s targeted advertising system uses their personal data without their consent. The e-commerce giant is in the process of appealing the decision and recently managed to suspend daily payments of 660,000 euros after a Luxembourg judge ruled that the data protection authority’s orders were “not clear, precise and uncertain enough”. according to Bloomberg.

Other significant GDPR fines include a 50 million euros a penalty imposed on Google by the French data protection regulator for failing to make its data processing statements sufficiently accessible to billions of users. The French authorities also ruled that Google had not sought the consent of its users to use their data for targeted advertising campaigns. The fine was upheld despite attempts by the company to appeal the decision.

Two years later, Google has once again come under fire from the French data protection authorities, this time for not providing “equivalent solution” to allow users to refuse cookies compared to accepting them. At the time, French authorities said that “refusing cookies should be as simple as accepting them” and fined Google another 150 million euros.

In 2020, the Office of the UK Information Commissioner fined British Airways £ 20 million after the personal data of 40,000 customers were breached in a cyber attack. The ICO ruled that the airline had not taken the necessary precautions to protect its customers’ data. The regulator initially threatened to fine BA £ 187 million, but the airline has successfully challenged the method it uses to calculate the figure.

The violation of the GDPR, for which the most fines have been imposed under the GDPR so far, is the processing of data with insufficient legal basis for this, according to data collected by the law firm CMS. This applies to Article 6 of the GDPR, which includes the requirement for the explicit consent of the individual before the organization can process his personal data.

Content from our partners

Which countries have imposed the most fines under the GDPR?

The Spanish data protection authority, AEPD, has imposed a total of 414 fines under the GDPR since 2018, the largest number of any European regulator. However, Italy issued the largest total value of the fines, imposing fines totaling € 137,339,596, according to the Enforcement Tracker.

The high number of penalties in Spain can be explained by the established culture of enforcing data rights even before the GDPR and a “completely independent” regulator, according to Estelle Masse, leading global data protection at Access Now, a leading digital rights charity.

Since 2018, AEPD has been pursuing targets ranging from telecommunications giants to individual citizens for different levels of data privacy breaches. Earlier this month, he fined a private individual 2,000 euros for sharing a WhatsApp video showing a violent attack on the complainant without their prior consent, according to Privacy.

On the same day, AELD fined another private individual 500 euros for installing surveillance cameras in their property, which managed to capture other neighboring properties. The AEPD found that this violated the principle of “data minimization“Where the collection of personal data must be” directly relevant and necessary to achieve a specific objective “.

Meanwhile, AEPD has in particular fined the Spanish subsidiary Vodafone a total of 58 times since 2018. In February earlier this year, the Spanish telecommunications giant was fined EUR 3.94 million after several customers complained that their SIM cards had been copied and used to make fraudulent bank transfers. AEPD has decided that Vodafone has not implemented “appropriate security measures” to prevent fraudulent copying of SIM cards.

And in March 2021 the company was fined 8.15 million euros for repeated “Aggressive telemarketing tactics” despite 162 complaints against such practices. In its notice of decision, AEPD stated that Vodafone had already received a fine or warning more than 50 times between January 2018 and February 2020.

This reveals the limitations of GDPR fines as a way to force companies to change their way, Mas said. “Obviously something doesn’t work if you have to constantly fine the same company for the same types of violations,” says Masse. “So there is a potential that some of the fines given by the Spanish DPA are not a sufficient deterrent for Vodafone.

“It is unclear why the DPA will repeatedly impose fines on Vodafone instead of launching a broad investigation into the company’s data practices, which seem problematic,” she added.

Structural problems hamper the potential of the GDPR

Data protection in Europe is stronger than it was in 2018, Mas said, but much more needs to be done for the regulation to reach its full potential. “There is indeed a growing awareness of privacy in Europe and elsewhere in the world, but we are not yet there to truly regain control of our information,” she said.

“I would say that we are still in the first phase of a better understanding of the online ecosystem, but the full potential of the GDPR is far from being reached, largely because implementation is lagging behind,” says Masse.

Stefano Rosetti, NOYB’s privacy lawyer, believes that the lack of strict deadlines for data protection authorities to respond adequately to GDPR complaints from citizens and organizations is a significant obstacle to its impact. The Irish data protection authorities recently settle the case with NOYB due to a “gross delay” in two lawsuits originally filed by the organization nearly four years ago.

“If you don’t have clear deadlines and rules of procedure, you have a paradoxical situation of granting rights to people, but you don’t put them into practice,” Rosetti said. “And this is really bad for the rule of law and what we believe to be citizenship, because if we have to have rights and freedoms, we also have to be able to defend ourselves against arbitrary actions by the authorities.

“We are wasting time and these information oligopolies or monopolies are getting bigger and bigger,” he added. “The only way to fight this is to exercise our rights and control these asymmetries, because if they are not applied, it is only on paper and it does not work for anyone.

Another problem with the GDPR is the lack of resources that national data protection authorities have to respond quickly to complaints and impose breaches of confidentiality, Mas added. Increasing the resources of national authorities would also level the playing field between them and the huge budgets of Big Tech’s legal departments. But progress on this front remains painfully slow, she said.

“If we are able to pass such comprehensive legislation, we must have the same political will to make it a reality,” Mas said. “There is a huge wave of regulations coming from Europe with the Digital Services Act and the Artificial Intelligence Act, but maybe we should stop these ideas right now and focus on implementing what we have.”

“I am worried that we will enter a cycle in which we will have to review this conversation every three to five years, because the mechanisms are not working. You can pass legislation as much as you want, but if you do not implement what you are adopting in Brussels, then it makes no sense. The time for implementation is now. “

Read more: UK government reaffirms plans to eliminate “cumbersome aspects” of GDPR