On 25 May 2018, the European Union began enforcing a new set of data protection laws called General Data Protection Regulation (GDPR). These laws are enforced on any company that handles data coming from EU citizens, regardless of where that firm is based. Companies that fail to comply with GDPR standards for privacy protection face some of the stiffest fines in the history of online commerce.
Companies that fail to comply with GDPR standards for privacy protection will not only face fines, crucially it could damage their reputation.
Individuals can also face fines for GDPR violations if they use other people’s personal data for anything other than personal purposes.
Contraventions of GDPR and compliance was set at a maximum penalty of €20m (£17.5m) or 4 percent of global turnover, whichever is the greater.
Article 83 of GDPR
Article 83 of the GDPR outlines how the fines will be calculated prior to assessing the penalties to violators. The ten major criteria that authorities will use to determine fines will include:
- Did the offender meet the standards for data protection certifications?
- Did the offender cooperate with authorities investigating the data breach?
- What type of personal data was accessed due to the breach?
- Did the offender have a history of allowing such data breaches?
- Was the data breach due to the offender’s negligence or intentional action?
- What actions did the offender take to mitigate the damage?
- What was the nature and extent of the damage caused by the data breach?
- When did the offender notify the regulatory authorities and the affected parties about the data breach?
- What preventative measures did the offender take prior to the data breach?
- What other mitigating circumstances were involved in the data breach?
Within the first nine months of the implementation of GDPR in May 2018, European data protection agencies issued fines totalling £43m (€56m) for GDPR breaches. Most of that hefty sum was against Google. The tech giant was fined 50 million euros (£44m) by the French data regulator CNIL, for a breach of the EU’s data protection rules.
CNIL said it had levied the record fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
Complaints against Google were filed by two privacy rights groups: noyb and La Quadrature du Net (LQDN). They claimed Google did not have a valid legal basis to process user data for ad personalisation.
Entertainment streaming giants including Amazon, Apple, Netflix and Spotify have also come under the spotlight and been accused of breaking the EU’s data regulations.
GDPR rules say EU customers have the right to access a copy of the personal data companies hold about them. However, privacy group noyb said it found that most of the big streaming companies did not fully comply.
An assessment from the European Data Protection Board (EDPB), said there were 206,326 cases reported under the new law from the supervisory authorities in the 31 countries in the European Economic Area.
The impetus behind the call for GDPR compliance comes down to the one idea that, without it, no business transaction could ever take place.. Trust. GDPR seeks to ensure that customers can trust businesses to protect their sensitive data, maintain transparency about what they do with that data, and, in the event of a security breach, that the customers are informed of the breach in a timely manner.
The impact that a significant GDPR fine can have on a firm’s finances can be devastating, even for some of the world’s biggest companies.
Not only does it affect a firm’s reputation, but a fine totalling up to four percent of annual revenue can cause the company’s profit numbers to go from black to red in an instant.
In the UK, the Information Commissioner’s Office (ICO) has dished out numerous six-figure fines but none have yet exceeded the £500,000 maximum penalty that was the maximum under the Data Protection Act 1998. It has, however, served an enforcement notice to AggregateIQ, a Canadian company that supplied software to Cambridge Analytica. This was the first formal information action under GDPR and the UK Data Protection Act 2018 that will mirror the EU regulation in post-Brexit Britain.
The notice warned that if AggregateIQ failed to cease its processing of personal data of UK or EU citizens for the purposes of data analytics, political campaigning or advertising, it could face an eye-popping fine under the terms of GDPR.
Uber was hit with a £385,000 fine after the company paid off hackers who stole the personal details of around 2.7 million Uber customers in the UK without informing the victims about the incident.
The attackers accessed a cloud-based system storage system operated by Uber’s parent company using “credential stuffing”, a process of injecting compromised username and password pairs into websites until they find a match with an existing account.
They then downloaded full names, email addresses, phone numbers and other information from customers, as well as the records of almost 82,000 drivers, including details on the journeys they’d made and the fairs they’d been paid. Uber paid the attackers $100,000 to destroy the data but didn’t tell the affected customers and drivers for more than a year.
The £385,000 fine was determined based on the size of the breach, the sensitivity of the information stolen and the failure to notify the victims and regulators at the time.
Around 174,000 people in the Netherlands were also affected, leading the Dutch Data Protection Authority (DPA) to impose a separate €600,000 (£532,000) fine.