What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law on the protection and privacy of data throughout the European Union (EU) and the European Economic Area (EEA). The GDPR’s focus is to enhance individuals’ control and rights over their data and information and simplify the regulatory environment for international organizations.

The GDPR was erected in April of 2016 and became enforceable May 25, 2018, replacing the outdated Data Protection Directive passed in 1995. Each country in the European Union must follow the GDPR— allowing no room for error—contrary to the Data Protection Directive, which authorized more flexibility within each country. Since its entry into EU law, various data protection agencies across the EU have filed 50 GDPR enforcement actions to offending firms.

GDPR Fines and Penalties

GDPR fines and penalties are a tiered structure that, based on the level of penalty, deducts a large sum of funds from the offender. Authorities assess the penalty decision from a statutory set of criteria that defines the extent of the penalty or fine. Some examples of GDPR penalties include:

• Intentional infringement
• Failure to mitigate the damage
• Lack of collaboration with authorities

Of the penalties, infringement is the most expensive, with fines up to “€20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.” Some of these violations relate to articles governing:

• Basic principles for processing (Articles 5,6, and 9) ― Data processing must occur lawful, fair, and transparently.
• Conditions for consent (Article 7) ― If an organization’s data processing is justified based on a person’s support, that organization must have the documentation to prove it.
• Data subjects’ rights (Articles 12-22) ― Individuals have a right to know what data an organization is collecting and what they are doing with it.
• Transfer of data to an international organization or a recipient in a third country (Articles 44-49) ― Before an organization transfers any personal data to a third country or international organization, the European Commission must decide that that country or organization ensures an adequate level of protection.
• Any violation of member state laws adopted under Chapter IX ― Chapter IX allows EU member states to pass additional data protection laws following the GDPR.
• Non-compliance with an order by a supervisory authority ― If an organization fails to comply with an order from the monitoring bodies of the GDPR, they have set themselves up to face a hefty fine, regardless of the actual infringement.

Notable GDPR Fines

With over 800 fines having been issued across the European Economic Area (EEA), few are notable for their magnitude. Amazon’s July 2021 earnings report showed a GDPR fine of €746M ($877M) for violations of cookie consent, the largest fine levied to date. A close second is Google, who attempted to appeal in March 2020, after receiving a fine of €50M ($56.6M) for violations in their user privacy notice. Of import was the 2020 fine imposed on clothing retailer H&M—€35M ($41M), to be sure—for alleged monitoring of their employees and their private lives. Among the lesser known but likewise significant GDPR fines: British Airways’ fine of €22M ($26M), Marriott’s fine of €20.4M ($23.8M) and Vodafone Italia’s fine of €12.3M ($14.5M). 

Conclusion

The regulations enforced by the GDPR indicate the necessary reasons for the protection of personal data. As technology continues to evolve, laws must be discussed and placed to protect individuals and organizations.  

Do you have information about GDPR to share with Identity Review? Email us at press@identityreview.com.