Busted: Google Remains Atop List of GDPR Fines
If the best way to get someone’s notice is to hit them in the pocketbook, then European regulators have the full attention of data giants like Google.
The €50 million ($56 million) fine levied against Google (NASDAQ: GOOGL) by the French data regulator against CNIL last January remains the largest penalty so far as the EU General Data Protection Regulation (GDPR) approaches its second year in force.
Meanwhile, EU regulators are drafting stiffer data privacy rules as a follow-on to GDPR that would target platform operators like Facebook and Google.
According to a GDPR fine tracking web site, European data police have so far handed out 228 fines costing violators nearly €146 million ($163 million).
While other huge fines are pending, European telecommunications providers also were hit hard for GDPR violations, accounting for nearly €70 million ($79 million) in data privacy violations, according to the Privacy Affairs GDPR fines tracker. For example, the Italian telecom provider TIM was hit with a €27.8 million ($31.6 million) fine on Feb. 1 by the Italian Data Protection Authority.
The fine, the largest so far against a European company under GDPR, stems from what the web site described as “numerous unlawful data processing activities related to marketing and advertising, which included unsolicited promotional calls and prize competitions in which data subjects were entered without consent.”
Other steep fines for GDPR violations were levied against Austrian Post ($20.4 million) and two German companies. The German property management firm Deutsche Wohnen SE ($16.8 million) was fined for collecting data on tenants without providing an opt-out option.
Germany’s 1&1 Telecom was hit with a $10.8 million penalty in December 2019 for failing to secure user data. The breach exposed sensitive customer data that could be obtained by providing a client’s name and birth date, according to the data privacy web site.
Still pending are proposed fines against Marriott and British Airways that could be the largest-ever under GDPR. The hotel chain (NASDAQ: MAR) faces a $123 million penalty for a 2018 data breach. The UK airline faces a record fine of $230 million for another data leak in 2018.
The case against Google filed by two privacy groups the day GDPR entered into force in May 2018 asserted that the U.S. search giant lacked the legal basis for processing user data applied to targeted ads. Under GDPR consent rules, users must expressly consent before companies may process personal data.
As GDPR fines pile up, European data regulators are drafting new “digital sovereignty” rules dubbed the Digital Services Act. Widely viewed as “the Next GDPR,” analysts note that DSA will seek to hold platform operators such as Facebook (NASDAQ: FB) responsible for content carried on their networks.
DSA promises to be “the defining digital regulation of the decade, as it tackles subjects such as the rights of consumers, censorship, the free market and the responsibility of online platforms,” notes a report released in January by the U.K.-based technology policy analyst Access Partnership.
A draft version of DSA is expected to be released later this year. Among the most nettlesome issues is the regulation of hate speech, which would compel platform operators to determine what content is illegal under expanded European data rules.