Fines for data protection have set a new record

The total fines imposed by European data protection supervisory authorities doubled in the first six months of this year. Every month, businesses are fined millions of euros for breaches of the General Data Protection Regulation (GDPR). 

In the first six months of this year alone, the total amount of fines imposed doubled compared to last year’s period. The number of infringements has decreased, but the seriousness of the infringements, and therefore the sizes of fines and the amount of all fines imposed, has increased significantly.

The fines are increasing

In the first six months of this year, a total of 221 fines totalling €98.5 million have been imposed by European data protection supervisory authorities. The trend seems to be increasing, as in July this year, for example, nearly €22 million in fines were imposed. In total, companies have been fined €1.7 billion so far for breaches of the GDPR.  

Data breaches are most frequently detected in commerce, media, telecoms, financial services, healthcare, and the public sector. This is understandable, as these are the areas where the most personal data is used.

The supervisory authority for data protection will seek to bring penalties to a level that motivates companies to ensure people’s right to privacy and eliminates deliberate disregard of the rules.

A company fined by Greece, Italy, and the UK

As an illustration of contemporary problems in privacy law, let’s look at a case in which the UK’s Information Commissioner’s Office (ICO) fined Clearview AI in May this year. The company’s ‘ingenious’ idea was to use publicly available photos of people sourced from social media, among other sources, to create a global facial recognition database. No person was informed about the use of the photos, and the fine this time was just over £7.5 million.

The example of Clearview AI’s deliberate misuse of personal data is all the more interesting because, in February, the same company was fined €20 million by the Italian data protection authority. Before that, the Greek data protection authority also fined Clearview AI €20 million, and France and Austria also banned such data processing. It would be interesting to know if the project is making a profit or whether the fines have had a detrimental effect.

Meta (Facebook) and Google have unsurprisingly also received their corrections, adding €17 million and €10 million, respectively, to the budgets of EU member states.

Dutch tax and customs administration paid €3.7 million

We also have the case of a fine imposed by the Dutch data protection authority on the local tax and customs administration, a public sector organisation. For years, the tax authority had kept a blacklist of people likely to have committed tax fraud. There was no legal basis for the tax authority to keep such a list. In addition, there were people on the list who were mistakenly included, which led to problems and discrimination based on false information. The Dutch tax and customs administration was fined €3.7 million.

Bright ideas must undoubtedly be assessed in the light of the GDPR. Today, it is clear that one of the objectives of the European data protection supervisory authorities is to reduce the sense of generating non-compliant business models, which unfortunately has been done deliberately so far.

Should you have any further questions, please contact our Specialist Data Privacy Counsel, Andres Ojaver.

Get the latest about Hedman law firm


Our memberships:
FinanceEstonia, Lexing®,
Estonian Service Industry Association,
Estonian Chamber of Commerce and Industry,
EstVCA, EstBan, FECC,
IBA & IBA European regional Forum