The General Data Protection Regulation (GDPR) is the world’s most stringent data privacy regulation legal framework. It was framed by the European Union (EU) to protect data and maintain privacy for its citizens. It applies to all the organisations worldwide as long as they are dealing with, collecting and keeping data of the EU citizens. It came to force in May 2018. GDPR requires organisations to create specific data protection frameworks and “appropriate technological principles” to control who may access and share user data. The regulations also establish the requirements for disclosing or confirming private information about an individual or organisation to authorised outside parties. The authorities charge hefty amounts if companies do not comply with the GDPR, which may extend up to €20 million or 4% of the company’s worldwide turnover, whichever is greater. Till May 2022, the data protection authorities imposed a total of 900 fines, and the number is on a steep rise. The data protection authorities have exercised no compassion regarding the infringers of the regulations. This article discusses how some big businesses and social media companies have recently imposed high fines.
Amazon’s €746 million GDPR Fine
Luxemburg’s data protection authorities charged the giant retailer, Amazon, with a sky-high fine of €746m for the GDPR breach. The penalty is unparalleled; it is more than twice as much as all previous GDPR fines and is the largest one ever imposed. The monetary charge, which Amazon is appealing, comes as GDPR is under pressure from slack compliance and punitive fines. But what did Amazon do? 10,000 individuals complained collectively about Amazon in May 2018 through a French privacy rights organisation. An inquiry revealed that Amazon’s commercial targeting technology lacked the necessary permission via cookies. However, the specifics of the matter haven’t been disclosed since local regulations forbid doing so until the appeals process is over. It’s worth noting that Amazon has been fined by France €35 million for failing to get cookie consent on its website “amazon.fr”.
Whatsapp’s €225 million GDPR Fine
Ireland’s Data Protection Commission slammed a hefty fine of €225 million on Facebook’s (now Meta) instant messaging giant for failing to inform the European users about how their data is being collected, used and shared with the parent company Meta. In the view of the authority, the messaging giant did not explain to the users about their data processing practices in their privacy notice. Whatsapp failed to give a valid legal basis for the same. This violated some provisions of the GDPR. Articles 12(1) requires companies to provide information to data subjects in “a concise, transparent, intelligible and easily accessible form, using clear and plain language” and Article 13(1)(c), Article 14(1)(c) mandates the companies to users with specific information, including “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing”.
Google’s €150 million GDPR Fine
The French data protection regulator, the CNIL, fined Google Ireland £75.1 million at the beginning of 2022 for violations related to implementing YouTube’s cookie consent policies. Users should be able to reject cookies more efficiently, according to the CNIL, but it noticed that leaving cookies required more steps than accepting cookies did. Given that Google’s activities in the EU are managed from Ireland, a GDPR violation should have been handled in accordance with the one-stop-shop approach. Nevertheless, since it is under the e-Privacy Directive, not the GDPR, authorities may take immediate action where they have authority. But since the GDPR regulates how website owners acquire consent, the ruling nonetheless counts as a “GDPR fine.”
In the same ruling, Google LLC of California received a second £47 million fine for the same violation, although this time it related to their search website.
Facebook’s €60 million GDPR Fine
Similar to the earlier case of Google, in 2022, the CNIL also fined Facebook (Meta) for failing to get valid user consent for cookies. The problem was that rejecting cookies was considerably more complex than accepting them, and consumers were only given the choice of receiving cookies, even when it seemed like they were doing so. According to the CNIL, this ambiguity “creates uncertainty and that the user might feel that it is practically not feasible to deny the deposit of cookies and that they have no ability to regulate it.” The CNIL justified this lump sum amount by saying that the size of the affected population and the social media giant’s sizable earnings derived from advertising income sources that are indirectly derived from the cookie-collected data, which is in proportion to the fine levied.
H&M’s €35 million GDPR Fine
The Data Protection Authority of Hamburg, Germany, penalised the clothing store H&M for violations in how it managed its workers’ data. “Return-to-work” meetings were necessary following sick or vacation time were documented by the company, and more than 50 supervisors had accessibility to the tapes. This provided supervisors with “a comprehensive understanding of the personal affairs of their workers, spanning from pretty trivial facts to familial concerns and religious convictions,” and they utilised this knowledge to assess the performance of the employees or make employment choices.
H&M could have implemented substantial access restrictions on the information and refrained from using it in making hiring choices to avoid the fine.
The big behemoths in different spheres of business like Meta and Whatsapp (social media giants), Amazon and H&M (retail giants), and Google (search engine) have been involved in a data breach; they have been storing information of their customers and employees (in the case of H&M) in a way unacceptable to the data protection watchdogs. Therefore, hefty fines were imposed on them. This piece, in a way, reiterates the importance of having a solid data protection and privacy system to save millions.