European regulators have always been highly interested in data management and privacy measures followed by giants like Google and Facebook.
The $56 million fine levied against Google by the French data regulator against CNIL in January 2020 remains the most significant penalty ever charged under the EU General Data Protection Regulation. The EU regulators are now drafting stricter data privacy rules as a follow-on to GDPR that will target the largest platform operators like Google and Facebook.
A GDPR fine tracking web site confirmed that the European data police have so far handed out 228 fines, costing violators nearly $163 million. The Privacy Affairs GDPR fines tracker confirmed that the European telecommunications providers were also hit hard due to the GDPR violations, accounting for almost $79 million. For instance, the Italian telecom provider TIM was hit with a $31.6 million fine on Feb. 1 issued by the Italian Data Protection Authority.
Maximum cases of GDPR breach are based on numerous unlawful data processing activities related to advertising and marketing, which included unsolicited promotional calls without customer consent. Another steep fine for GDPR violations was levied against the Austrian Post worth $20.4 million. The German property management company Deutsche Wohnen SE was fined about $16.8 million for collecting data on tenants without giving them an opt-out option.
Germany’s leading 1&1 Telecom was hit with a $10.8 million penalty at the end of 2019 for failing to secure user data. The sensitive customer data like client name and birth date was exposed during this breach. Some proposed fines are still pending against British Airways and Marriott, that could be the largest-ever under GDPR. The hotel chain faced a massive $123 million penalty for a data breach back in 2018. The British Airways faces a record fine of $230 million for a 2018 data leak.
The GDPR breach case against Google was filed by two privacy groups in May 2018, claiming that the U.S. search giant lacked an adequate legal basis for processing user data applied to the targeted ads. As per GDPR consent rules, users must express proper consent before companies process their personal data.
As the GDPR fines pile up, European data regulators are proposing new “digital sovereignty” rules, widely viewed as “the Next GDPR” – Digital Service Act. The Digital Services Act will seek to hold platform operators such as Facebook responsible for the content carried on their networks.
DSA will be the defining digital regulation of the decade, tackling subjects such as the rights of censorship, consumer rights, the free market, and the responsibility of online platforms. A draft version of the Digital Services Act is expected to be released soon. This would compel platform operators to determine and examine the legality and fairness of the content under expanded European data rules.