The GDPR is the European legislation that regulates the processing of data by companies operating in the European Union or collecting European data. It came into effect in May 2018, and some companies have already been penalized for non-compliance. The value of the fines, combined with the negative publicity generated by being penalized under the GDPR, shows us the importance of complying with the new data protection laws.
A report by DLA Piper indicated that even before completing one year of enforcement, the GDPR had already identified and fined 91 companies for non-compliance. It's worth noting that, unlike the LGPD (Brazilian General Data Protection Law), the European law stipulates penalties of approximately 4% of a company's total revenue, while in Brazil, penalties can reach only 2%.
In this post, we will look at the main cases of companies fined under the GDPR and what infractions they committed.
British Airways
British Airways has had to pay one of the biggest fines under the GDPR, with the body responsible for overseeing the law demanding payment of £183 million.
The reason for the requested fine dates back to the end of 2018, when the company, due to a security breach, ended up leaking data such as the full names, addresses, details of flights and scheduled trips, login credentials, and credit card information of approximately 500 of its customers. The ICO (Information Commissioner's Office) alleged that the incident could have been avoided if the airline's online security implementations had not been "so poor."
PwC
The Greek company was fined €150 for violating GDPR, and in addition to the fine, the Hellenic Data Protection Authority also imposed corrective measures on the organization.
Hellenic DPA received a complaint and conducted an investigation (on its own initiative) regarding alleged illegality involving the processing of personal data of PwC's own employees. The company was processing the data based on the legal grounds of employee consent, which Hellenic DPA considered inappropriate, given the imbalance it created between the parties in an employment relationship, thus violating the GDPR.
Google
In 2018, Google issued a statement regarding changes to its privacy and data protection policies to comply with GDPR, and even created a page to clarify doubts about the new policy.
However, the company still ended up violating the rules and was fined €50 million. The reason for Google's penalty is that the company failed to provide users with sufficient information about its data consent policies.
Barreiro Montijo Hospital Center
The Barreiro Montijo Hospital Center, located in the city of Barreiro, Portugal, was fined €400. The complaint alleged that employees who did not work in the hospital were using third-party data to access the system. Suspicion arose because the hospital had 985 users registered as doctors, but only 296 doctors actually worked there.
Knuddels.de
The German social network was fined €200 for a data breach that exposed the information of more than 330 people, including their emails and passwords. Only in some cases was other information such as users' names and addresses leaked and made available on public cloud services.
The breach of confidentiality revealed that the website kept this data stored in plain text format, without any encryption or anonymization of the information that could hinder the identification of users.
Austrian entrepreneur
An Austrian businessman became the first to be fined under the GDPR in his country. He claimed to have purchased a camera to monitor the front of his establishment. However, the equipment was pointed at filming the entire sidewalk of the neighborhood.
The Austrian data protection authority determined that monitoring public spaces without the camera being clearly marked constituted a violation of the GDPR.
This case is quite interesting because it shows us how European law can cover not only the protection of information on the internet, but also offline.
Facebook
In July of last year, Facebook received a ruling that the company would have to pay a fine of US$5,5 billion to end the US government's investigation into its privacy practices; the decision was communicated to the company by the US Federal Trade Commission.
Facebook agreed to pay the fine and submit to a 20-year oversight program as part of an FTC order, which ultimately included another penalty because the company refused to comply with a 2012 FTC request that also governed user data privacy. Many criticized the decision.
Uber
In 2016, Uber had 600 drivers and 57 million compromised accounts. Instead of reporting the incident, the company paid a cybercriminal $100 to keep the hack hidden. However, as the saying goes, "cheap is expensive," and these actions cost them a $148 million fine in 2018 for the data breach.
Yahoo
In 2013, the company suffered a security breach that affected its entire database, approximately 3 billion accounts. The company did not disclose this information for three years. And in April 2018, the U.S. Securities and Exchange Commission (SEC) fined the company $35 million for failing to disclose the breach.
Target
In 2017, the retail company accepted an $18,5 million settlement with 47 states and the District of Columbia regarding a 2013 breach in which approximately 40 million credit and debit card accounts were stolen during the Black Friday sales rush. Investigations into the case uncovered names, addresses, phone numbers, and email addresses of up to 70 million individuals. The total costs associated with the breach exceeded $200 million.
These are just a few examples (which should not be followed) of companies that have somehow violated legal data privacy regulations, which is why it is so important to stay informed about the GDPR and now the LGPD, which will come into effect in August of this year, but also to comply with the rules in force under the law from now on.
