There are two tiers of fine under the EU-GDPR & UK-GDPR.
The tiers are based on the type of violation and the type of data processing concerned.
Most organisations fall within the lower-level tier.
Lower-tier violations can lead to a fine of up to £8.7 million or 2% of the organisation’s worldwide annual turnover, whichever is higher.
More serious violations can lead to a fine of up to £17.5 million or 4% of the organisation’s worldwide annual turnover, whichever is higher.
Lower-tier violations can lead to a fine of up to €10 million or 2% of the organisation’s worldwide annual turnover, whichever is higher.
More serious violations can lead to a fine of up to €20 million or 4% of the organisation’s worldwide annual turnover, whichever is higher.
How is the value of the fine decided?
Supervisory authorities consider multiple factors when deciding on the value of the fine to impose. Article 83 of the GDPR, titled “General conditions for imposing administrative fines” states how fines should be determined.
“When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
- the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- the intentional or negligent character of the infringement;
- any action taken by the controller or processor to mitigate the damage suffered by data subjects;
- the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
- any relevant previous infringements by the controller or processor;
- the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
- the categories of personal data affected by the infringement;
- the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
- where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
- adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.“
Supervisory authorities such as the ICO must consider these factors before deciding on the value of the fine applied. They can also decide not to impose a fine if they believe that the offence is minor and that appropriate measures were in place, or will be taken to prevent any further break. For example a cyber attack that circumvented strict IT policies and procedures.
The three biggest GDPR fines so far
1. Google – €50 million (£42.9 million)
Date: 21 Jan 2019
Supervisory Authority: CNIL (France)
This fine was levied by the French supervisory authority CNIL. An appeal from Google was ultimately dismissed by Frances’ top court. The CNIL found that Google’s data consent policies were neither easily accessible nor transparent. They also felt that Google did not gather appropriate consent for the data processing that it performed with it’s core Google search product.
2. H&M – €35.3m (£32.1m)
Date: 01 Oct 2020
Supervisory Authority: DPO, Hamburg, Germany
H&M was fined after recording unnecessary personal details about their employees. The statement regarding the investigation by data protection authorities based in Hamburg notes that data collection from employees had been going on since 2014. It specifically noted that “some supervisors acquired a broad knowledge of their employees’ private lives through one-on-one and water-cooler conversations, ranging from rather harmless details to family problems and religious beliefs”. This data was subsequently stored by H&M and made available to other managers within the organisation.
3. Tim – Telecom Italia (€27.8m/£24m)
Date: 01 Feb 2020
Supervisory Authority: Garante Privacy
In 2020, Telecom Italia (Tim) was fined €27.8m by the Italian data protection authority Garante Privacy.
They were fined after the data protection authority received a large number of complaints about promotional calls without consent from the telecoms provider. The regulator noted that it had received hundreds of complaints in total.
Customers received calls even after registering with Italy’s equivalent of the UK’s TPS (do not call) list. Some individual callers reported receiving marketing calls upto 155 times.
Because of the severity of the complaints, the scale of impact and lack of policies in place at Tim, the regulator imposed a large fine.
Where does GDPR money go?
In the UK fines from UK-GDPR go to the central government fund, ran by the Treasury. The Treasury can allocate these funds to the projects in the public sector. You can learn more about where the GDPR fines go to in our recent article:
The UK-GDPR & EU-GDPR allows for some large fines. But these eye-watering numbers are still arguably small-change to many of the biggest big-tech offenders. At present it’s unclear whether this is a big enough deterrent for them to desist from their disrespectful approaches to privacy. Recent hiring sprees by supervisory authorities across Europe suggest that enforcement will continue to intensify. At Measured Collective we expect the importance of complying with data privacy laws to increase – not just because of fines, which are often nominal. We believe that a growing interest from consumers in their privacy will drive firms to take more robust steps to protect personal data.