There are two tiers of fine under the EU-GDPR & UK-GDPR.
The tiers are based on the type of violation and the type of data processing concerned.
Most organisations fall within the lower-level tier.
Lower-tier violations can lead to a fine of up to £8.7 million or 2% of the organisation’s worldwide annual turnover, whichever is higher. More serious violations can lead to a fine of up to £17.5 million or 4% of the organisation’s worldwide annual turnover, whichever is higher.
Lower-tier violations can lead to a fine of up to €10 million or 2% of the organisation’s worldwide annual turnover, whichever is higher. More serious violations can lead to a fine of up to €20 million or 4% of the organisation’s worldwide annual turnover, whichever is higher.
How is the value of the fine decided?
Supervisory authorities consider multiple factors when deciding on the value of the fine to impose. Article 83 of the GDPR, titled “General conditions for imposing administrative fines” states how fines should be determined.
“When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
- the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- the intentional or negligent character of the infringement;
- any action taken by the controller or processor to mitigate the damage suffered by data subjects;
- the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
- any relevant previous infringements by the controller or processor;
- the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
- the categories of personal data affected by the infringement;
- the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
- where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
- adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.“
Supervisory authorities such as the ICO must consider these factors before deciding on the value of the fine applied. They can also decide not to impose a fine if they believe that the offence is minor and that appropriate measures were in place, or will be taken to prevent any further break. For example a cyber attack that circumvented strict IT policies and procedures.
The three biggest GDPR fines so far
1. Amazon fined €746 million (£631 million)
Supervisory Authority: Luxembourg DPA
The biggest GDPR fine so far. Amazon first disclosed this fine in their 2021 July earnings report. The fine was levied by the Luxembourg DPA.
2. WhatsApp €225 million (£190 million)
Supervisory Authority: Ireland DPA
WhatsApp was fined a record €225 million by the Irish data regulator, the Data Protection Commission (DPC), on August 20, 2021, for a number of cross-border data protection violations. The fine followed a lengthy investigation and enforcement process that began in 2018 and saw the DPC’s proposed verdict and punishment rejected by its European counterparts, resulting in a referral to the European Data Protection Board.
3. Google – €150 million (£125.8 million)
Supervisory Authority: CNIL, France
Google was fined €50 million by France’s data protection agency, the CNIL for loading tracking cookies without consent.
The regulator carried out investigations of the websites reported to them and found tracking cookies were automatically loaded onto the users device when the user visited Google domains, which is in breach of the country’s Data Protection laws.
Under local French (and European) law, site users should have been clearly informed before the cookies were loaded and asked for their consent. Loading non-essential cookies by default is not permitted.
Google has since updated their cookie consent mechanism process, which you can test yourself by visiting Google in incognito mode on your browser.
Where does GDPR money go?
In the UK fines from UK-GDPR go to the central government fund, ran by the Treasury. The Treasury can allocate these funds to the projects in the public sector. You can learn more about where the GDPR fines go to in our recent article:
The UK-GDPR & EU-GDPR allows for some large fines. But these eye-watering numbers are still arguably small-change to many of the biggest big-tech offenders. At present it’s unclear whether this is a big enough deterrent for them to desist from their disrespectful approaches to privacy. Recent hiring sprees by supervisory authorities across Europe suggest that enforcement will continue to intensify. At Measured Collective we expect the importance of complying with data privacy laws to increase – not just because of fines, which are often nominal. We believe that a growing interest from consumers in their privacy will drive firms to take more robust steps to protect personal data.
⚠️ Try our "painless" GDPR course. Certificate on completion. Sign up and start learning today.