GDPR Fines in 2021: What can we learn?

EU privacy regulators last year levied fines totalling more than €1 billion for GDPR breaches, bolstered in part by two record-breaking fines against Amazon and WhatsApp. This was a sharp increase from the €159 million in fines seen for the preceding 12 months.

As a sign that EU regulators are likely to continue with increased enforcement and high penalties, France’s CNIL has kicked off 2022 with a bang, announcing fines of €210m against Facebook and Google for breach of the ePrivacy Directive (which regulates cookies, amongst other things).

Who is being targeted for the biggest fines? And what can we learn from the fines from 2021?

Biggest GDPR fines

Not surprisingly perhaps, the biggest fines have been imposed on US tech giants.  They have been imposed by regulators from different EU members – with the highest so far from one of the smallest regulators the Luxembourg CNDP.

We covered the Grindr fine in our earlier blog post.  Grindr was fined €6.5m by the Norwegian data protection authority (which is part of the EEA) for sharing data with third parties without proper consent.  But Grindr is just one of the well-known US big tech companies to have fallen foul of EU privacy regulators in the last year.

Luxembourg CNDP fines Amazon

The biggest fine imposed so far has been by the relatively small regulator in Luxembourg.  In July 2021, the Luxembourg CNDP imposed a fine of €746 million against Amazon. The fine was issued as a result of a complaint filed by 10,000 people against Amazon in May 2018, through a French privacy rights group that promotes and defends fundamental freedoms in the digital world- La Quadrature du Net.

The CNDP opened an investigation into how Amazon processes personal data of its customers and found infringements regarding Amazons’ advertising targeting system that was carried out without proper consent.

There are certain requirements for compliant consent that need to be met in order to stay in line with the GDPR, like using clear, plain language and explaining how data is going to be used, why and by whom.

However, specifics of the case have not been publicly disclosed or commented on by the CNDP since local laws bind the Luxembourg DPA to professional secrecy until an appeal process is completed. Although La Quadrature du Net did issue a statement available in French.

Amazon is appealing the fine which means the final amount could end up being lowered or even dismissed by a court.

Ireland’s DPO fines WhatsApp

Ireland imposed a fine of € 225 million on WhatsApp in September 2021 over its alleged failure to disclose to users how their data was being shared with parent company Facebook, which is now known as Meta.

The Irish DPC’s investigation, which began in 2018 and focused on WhatsApp’s compliance with its GDPR transparency obligations, initially resulted in the proposed imposition of a smaller penalty (ranging between €30 and 50 million) by the Irish regulator. However, eight other EU supervisory authorities objected to this, regarding the amount of the fine as too low. The final amount of the fine was determined by a binding decision from the EDPB and was €225 m calculated as follows:

  • EUR 90 million for breaching the GDPR principle of transparency (Art.5(1)(a));
  • EUR 30 million for breaching the GDPR obligations to inform data subjects under Art.12;
  • EUR 30 million for breaching transparency obligations regarding personal data obtained directly from the relevant individuals (Art.13); and
  • EUR 75 million for breaching transparency obligations regarding personal data that have not been obtained from data subjects (Art.14).

WhatsApp is appealing this fine.

France’s CNIL fines Google

In 2019, the French regulator, the CNIL, imposed a fine of €50 million on Google for failing to adequately inform users about their data collection practices, and not giving users enough control over how their information is used.

The complaints were brought by two French privacy advocacy organizations shortly after the GDPR went into effect in 2018. CNIL found that information on how data is used is not easily accessible enough to users, with important facts scattered across too many different documents. CNIL also found that some of Google’s descriptions of their data processing methods were too vague or unclear. On this basis, CNIL ruled that the search giant failed to comply with the GDPR by not adequately obtaining the consent of users, particularly emphasizing that consent must be given for each specific purpose of data use rather than *en masse* with one checkbox that covers multiple purposes.

Successful appeals

It’s worth noting that, as well as some big fines, there have been some successful appeals resulting in findings being overturned or fines significantly reduced.

For example, a €14.5m fine imposed by the Berlin data protection supervisory authority against Deutsche Wohnen SE for alleged infringements of the storage limitation principle was held to be invalid by the Regional Court of Berlin on the basis that the Berlin DPA failed to specify acts of the management of Deutsche Wohnen SE which were in breach of GDPR and therefore did not satisfy the requirements of the German Act on Regulatory Offences. This decision is now being further appealed.

It looks like it pays to appeal and to mount robust challenges to proposed regulatory sanctions. Which is what Amazon and WhatsApp are reported to be doing with their 2021 fines.  Watch this space for the final outcome.

What’s happening in Australia?

Perhaps the most notable action in Australia has been by the consumer protection regulator – the ACCC – rather than the Australia Privacy Commissioner, against Google.

In 2021, the ACCC successfully argued that Google engaged in misleading and deceptive conduct in a world-first enforcement proceeding under Australia’s consumer protection laws.  We have covered this in our earlier blog post. Having won the case, the ACCC sought pecuniary penalties, publications orders, and compliance orders. According to the ACCC press release, these were to  be determined at a later date.  There’s still no news on what the penalties and other outcomes of this decision might be.

Meanwhile, the  Privacy Commissioner took on Facebook in its first action to seek to impose penalties for serious or repeated infringements.  We covered the ACCC v Google and the OAIC v Facebook litigation in our post from May 2020 – read it here.

Coming from the Cambridge/Analytica revelations,  the Privacy Commissioner argues in this case that the Facebook design meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed. It is claimed that these actions ‘left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.’

In April 2020, the federal court granted the OAIC leave to serve legal documents on US-based Facebook Inc and Facebook Ireland.  There has been no news or update on the proceedings since then.

Following an investigation by the UK Information Commissioner’s Officer into the same circumstances in 2018, Facebook agreed to pay a fine of 500,000 pounds, without any admission of liability.

Conclusion

One of the reasons for the introduction of the GDPR was to support harmonised, consistent and heightened action by supervisory authorities.  The amount of potential fines (up to 4% of total global annual turnover for some breaches) under the GDPR was one of the main reasons international organisations paid attention to the new law. Action taken in 2021 indicates that EU regulators are now preparing to flex their enforcement muscles, particularly vis-a-vis US big tech organisations.

Meanwhile enforcement activity in Australia remains slow.

There is little to report on either the ACCC penalties against Google for misleading tracking of users or the progress of the OAIC’s action against Facebook, stemming from Cambridge Analytic revelations made in early 2018 –  almost four (4) years earlier.

Delays in decisions on breaches, liabilities and penalties are not helpful either for businesses who need to understand their compliance obligations or for the general community who need to feel that regulators and courts are acting fairly and promptly. But without significant additional resources it’s unlikely that enforcement activity by the OAIC will increase any time soon.

More information:

DLA Piper’s latest GDPR and data breach report.