Given the growing enforcement of the General Data Protection Regulation and the increased fine limits these laws impose we bring you our analysis of the 5 highest fines, along with the comments from the data protection regulators that issued them. These fines together showcase the practical implications of the new regulation and how some of the biggest companies fell foul of sanctions. Analysis is given as at 24 December 2020.
Issued for the lack of transparency as to how data was harvested, particularly for the purposes of ads personalization. It was found that user’s consent was not sufficiently informed or “specific” and “unambiguous”. Thus, user consent was not obtained validly.
The CNIL commented as follows: “This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”
A technical error caused H&M’s data from its network drive to become accessible to everyone in the company. The company had also collected sensitive personal data for its employees, creating employee profiles later used in the promotions process. Extensive records of families, religions and illnesses were recorded by the retailer.
“This is a case that showed a gross disregard”, HmbBfDI head Johannes Caspar said. Adding the large fine was “justified and should help to scare off companies from violating people’s privacy”.
A fine following scrutiny of the telecommunications operators invasive marketing strategy, which impacted several million people. The investigation came following hundreds of reports of unwarranted telephone calls to customers. The use of personal data from applications was also used without sufficiently clear consent acquisition methods.
“In addition to the sanction, the Authority imposed 20 corrective measures on Tim, including prohibitions and prescriptions. In particular, it prohibited Tim from using the data for marketing purposes of those who had expressed to call centers their refusal to receive promotional phone calls, of the subjects on the black list and of the “non-customers” who had not given consent.”
A hacker accessed the British Airways website and was able to divert traffic from the site to their own, compromising the personal data of over 400,000 customers. Personal and financial details were also leaked during the 2018 cyber-attack.
The resulting fine from the ICO was reduced by a multiple of ten given British Airways submissions to them.
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
339,000,000 customer guest records were rendered vulnerable as the result of a cyber attack. A vast range of wide categories of data were compromised ranging from names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership numbers. It was estimated that over 7 million UK people’s guest records were rendered vulnerable by the attack.
Information Commissioner Elizabeth Denham stated: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”