Mega fines by data protection authorities
The strict rules of the EU’s general data protection regulation (GDPR) will apply in all Member States of the EU as from 25 May and entities carrying out data processing activities – which fail to comply with the rules of the GDPR – may face serious sanctions, including a fine amounting to EUR 20 million or even more.
It may be surprising but the data protection authorities of the European Union have already imposed extremely high fines for data protection violations in the not too distant past. In Hungary, the maximum amount of fine is currently set at HUF 20 million (about EUR 68,000) which the Hungarian Data Protection Authority (NAIH) has imposed a few times. The Authority has also levied fines in the amount of a few million Hungarian forints a number of times (for example, on companies engaged in direct marketing or claim handling activities). After 25 May, however, the maximum amount of fine will be EUR 20 million or even more in Hungary too.
Below you will find a summary of decisions in which authorities in various European countries issued very high fines, starting with the highest fine ever imposed in Europe.
In the first quarter of 2017, the Italian data protection authority imposed the highest fine that has ever been imposed in the European Union. In total, a fine of more than EUR 11 million was imposed on five undertakings. Out of the five companies, one registered in the UK was hit with a fine of EUR 5.88 million, whereas a fine between EUR 850,000 and EUR 1.6 million was imposed on the remaining four companies, all being undertakings registered in Italy.
The Authority’s procedure followed a police investigation on grounds of money laundering suspicions. As per the findings of the Authority, the companies executed wiring transactions to China in the name of different individuals using their personal data for the transfers. The Authority established that the transactions had been made to seem as if they had been made by private individuals who, however, did not know about the transactions and, thus, their personal data had been used without their consent, thus, unlawfully.
The Italian authorities considered that the transactions were executed in a way that the transfers were below the reporting thresholds for the purposes of money laundering laws and the companies used the personal data of individuals contained in a data base possessed by one of the companies, making the transactions seem as if they were transfers ordered by private individuals.
According to the Authority, the actions by the companies violated data protection laws as they were using the personal data of individuals for the transfers without their consent and the violation concerned a “database of considerable size and importance”.
The Authority set the amount of fine as follows:
on the one hand, a fine of EUR 10,000 was imposed for each individual whose rights had been violated (this was the minimum amount of fine that could be imposed for the violation of the rules on consent);
on the other hand, an additional fine of EUR 50,000 was imposed due to the fact that the violation concerned a “database of considerable size and importance”.
With respect to the fact that the Authority found that one of the companies had unlawfully used the personal data of 583 individuals, it imposed a fine of 583 x EUR 10,000 plus EUR 50,000, i.e. EUR 5.88 million on that company. This fine is, in fact, in the magnitude of the fines that may be imposed under the GDPR, even though, when imposing the fine, the Authority also assessed the fact that in its view, there was a serious violation of money laundering laws.
In September 2017, the Spanish Data Protection Authority imposed a fine of EUR 1.2 million on Facebook. In the Authority’s view, the company committed a “serious” and two “very serious” violations of data protection laws and, therefore, it imposed a fine of EUR 300,000 for each serious violation and EUR 600,000 for the very serious violation.
In the Authority’s view, the company committed the following violations:
- the social network processed specially protected data for advertising purposes (e.g. browsing activity), among others, without obtaining the express consent of the users as required by data protection law, which classifies as a very serious violation of law;
- the company collected special data (for example, on ideology, religious beliefs and personal preferences, e.g. browsing activity) from its own website and third party’s websites without informing the users about how and for what purpose it will use those data;
- the data protection policy was not comprehensive and clear enough, thus, the company did not obtain the consents properly;
- the company did not properly inform the data subjects of the use of “cookies” (the company collected browsing data of persons registered on Facebook while they were visiting third party websites and, respectively, of individuals who visited the company’s website at least once but who were not registered on Facebook);
- the company did not comply with its obligation to delete the data as it retained the personal data of individuals for at least 17 months following that the relevant individuals had deleted their Facebook accounts and requested that their data be erased.
The Authority issued a brief, English language press release on this, which you can find here.
The United Kingdom
In 2017, the UK Data Protection Authority (the ICO) issued fines in the total amount of GBP 4.9 million. In 2016, the ICO imposed fines on 35 occasions, in the total amount of GBP 3.3 million.
In 2015, the ICO fined only on 18 occasions, in the aggregate amount of a little over GBP 2 million, whereas it levied fines in the total amount of GBP 1.152.500 for data protection violations.
The trend thus shows an increase in terms of the number and the amount of fines.
The highest fine the ICO has imposed thus far amounts to GBP 400,000. This amount was levied on a telecommunications company back in 2015 following a hacking as a result of which the personal data of 150,000 customers were compromised. The maximum amount of fine that can be imposed in the UK was GBP 500,000 and the ICO imposed 80% of the maximum amount as fine. It is a question what the amount would have been had it been imposed under the regime of the GDPR (?). It can be stated with relative certainty that it would have been much more than GBP 400,000, presumably, it would have been in the magnitude of several millions of GBP.
In another case, the ICO imposed a fine of GBP 300,000 on a financial undertaking which had placed some 8.7 million nuisance calls without having the prior consent of the individuals affected for such calls.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attoneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.