GDPR Enforcement Themes & Takeaways for Australian Organisations

Australia’s privacy law landscape doesn’t grant the same rights individuals resident in the EU and UK enjoy. But organisations operating in Australia can learn plenty of lessons from the enforcement actions and penalties imposed in Europe. In this post, we’ll explore some of the themes we’re seeing in enforcement in Europe and outline the key takeaways: 

General Themes in Enforcement in the EU

The key issues seen in enforcement in the EU seem to be an echo chamber: consent, spam, inadequate security, and unlawful data processing. Other trends we (are continuing to) see include record-breaking (eyewatering) fines and the debate heating up around ‘pay or okay’ models for service. 

Record-Breaking Fines in Europe

Penalties under the GDPR can be steep, and the dollar value of the ‘highest ever GDPR penalty’ continues to grow. Last year, we saw a staggering 1.3 billion USD penalty against Meta IE. But we wouldn’t be shocked to continue to see penalties in the billions against Meta, at least annually, for the next few years. 

And yes, most of these large fines are being levied against large tech companies. But the ability of the European regulators to penalise companies to the tune of 4% of their global turnover shows that the rules there have teeth. 

Some of the largest fines under the GDPR to date include: 

  • The USD 1.3 billion fine against Meta IE for unlawful processing of personal data transferred to the US. 
  • Luxembourg’s fine against an online retailer (US-based) for USD 813 million. The details of this are not yet publicly available, and the penalty and findings are being appealed. However, there is speculation that the retailer is Amazon and that the penalty relates to cookie consents.
  • The USD441 million fine against Meta, specifically Instagram, for failing to comply with transparency requirements, inadequate technical measures regarding the processing of data, and the failure to conduct a data protection impact assessment (in relation to the processing of child user data). 
  • TikTok was fined USD370 million for improperly processing the data of child users. 
  • A French ad tech company (Criteo) was fined USD 44 million for breaches relating to targeted advertising. This penalty was later reduced by around one-third. 

Compliance and Consent: Key Themes

The Pay or Okay Debate

The Pay or Okay debate refers to the business model some tech companies are adopting that requires users to either consent to extensive tracking and targeted advertising or pay a subscription fee to access the services. 

Critics of this model (which includes many of the EU regulators) argue that this is contrary to the consent requirement under the GDPR, which requires consent to be freely given, specific, informed and unambiguous. 

This issue is yet to be determined by EU courts, but for what it’s worth, transparency is typically a less damaging approach to privacy and consent. Your customers may consent to targeted advertising if they know and understand the potential benefits, such as more tailored recommendations and personalized offers. Positioning your offer this way is likely to reflect more positively on your organisation than strongarming your users into consenting or paying for it. 

Spam Marketing Calls & Texts Are Not Okay

The UK privacy regulator (ICO) fined Pinnacle Life 80,000 pounds for its illegal call campaign from May 2021 – May 2022. Telemarketers made almost 48,000 illegal calls to people who had registered on the UK’s ‘Do Not Call’ list. 

The company reportedly used aggressive, insulting, and harassing tactics during these marketing calls and made misleading statements, including that they worked for the company with which the call recipient had an insurance policy (when this was not the case). 

“One complaint read as follows:

Asked for me by name and incorrect address. Said did I have life insurance [sic]. I said yes but [that] I was not interested and [asked them] to remove me from their marketing list at which point he became abusive and called me stupid. I hung up but the same number called me thirty minutes later, so I ignored it.”

Key Takeaways for Australian Organisations:

While these tactics are extreme, the takeaway is very clear: do not engage in spam marketing. The ACMA is enforcing high penalties in Australia, alongside the reputational harm that comes with these claims. 

Other lessons here include: 

  • No Excuses for Unethical Tactics: Aggressive or misleading sales practices, even for legitimate offers, violate fair trading rules and privacy regulations.
  • Consumer Complaints Matter: The ICO investigation stemmed from complaints by individuals. Train staff to handle complaints properly and invest in systems to capture and investigate potential issues internally.
  • Reputation is Currency: Predatory marketing destroys consumer trust and harms brand reputation, on top of regulatory fines.

Strengthening Previous Takeaways:

This case reinforces many of the earlier takeaways:

  • Respecting User Choice: People have the right to opt out of marketing contact and that choice must be respected.
  • Transparency and Honesty: Attempts to mislead or confuse consumers are unacceptable, regardless of the product you’re selling.
  • Proactive Compliance Culture: Train staff not just on the law, but also on ethical marketing practices. This builds trust with consumers and can prevent costly problems.

Unlawful Data Processing

A wide range of violations fall under the umbrella of ‘unlawful data processing’, including collecting data without a lawful basis for the collection, violating data subject rights, inadequate security, cross-border transfer violations, and insufficient transparency. 

The GDPR Enforcement Tracker is littered with examples falling under this umbrella. But here are a few recent examples to demonstrate what’s happening in Europe: 

  • Italy’s privacy authority fined UniCredit bank for a data breach in 2018 where 778 thousand customers had their name, tax code, and PIN codes breached. The regulator highlighted that the bank had inadequate technical and security measures in place to counter cyber attacks. The bank also did not have measures in place to prevent the use of weak PINs. The penalty was set at 2.8 million Euros. 
  • Iceland’s privacy authority fined Subway for improper monitoring of its employees via CCTV. The store’s manager watched employees at work from his home and made comments via text and phone call about their work style. The staff were not made aware of this use of monitoring equipment and had not provided consent. Subway was fined 10 thousand Euros for the violation. 
  • Users of a medical/health app suffered a breach when the company sent a notification about an outage using the TO email field instead of BCC field, exposing around 5,001 email addresses. The company was fined 300,000 Euros. 

Key Takeaways for Australian Organisations

Takeaways for Australian organisations from these enforcement actions include: 

  • Get back to basics: collect data with consent, use it transparently, and protect it adequately. 
  • Design with privacy in mind: Privacy should be baked in as early as possible. 
  • Technical measures reduce risks: implementing technical measures so that your team can’t send out emails via the TO field or make other similar mistakes is simple but effective. So many errors that become data breaches are avoidable. 
  • Train your team to reduce the risk of human error.

If you’re concerned about your compliance with the GDPR or privacy maturity on the whole, reach out. Our team would love to work with you. 

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.