Luxembourg showing the way in GDPR tech giant fines
A DLA Piper report found that an all-time record in penalties for violating privacy regulations was recorded in 2021, with Amazon and Facebook suffering the heaviest penalties
Three years after the EU launched the broadest privacy protection regulations in the world, the GDPR, or General Data Protection Regulation, the European data protection authorities are upscaling their enforcement efforts.
According to a new DLA Piper report, the continent ended 2021 with an all time record in the value of penalties imposed on technology companies - €1.1 billion.
The top two fines were imposed by Luxembourg and Ireland. Luxembourg fined Amazon with the highest penalty ever imposed by force of GDPR - €746 million – although the tech giant is still conducting appeal proceedings. Ireland imposed the second largest fine, €225 million, on Facebook (currently Meta) for WhatsApp’s (its subsidiary) failure to demonstrate transparency on how it handles information.
France had previously imposed the highest single fine ever on a company - €50 million leveled at Google in 2020. Italy has registered cumulative fines of €79 million as of last year.
The record fines comprise a major share of all GDPR fines imposed in 2021 – based on DLA Piper’s report, reviewing the GDPR fines and violations in 27 EU countries, in addition to Britain, Norway, Iceland and Liechtenstein. Overall, fines have increased seven-fold compared to €158.5 million in 2020. The study further found that the number of reports on personal detail leaks increased for the third consecutive year. Around 130,000 personal data violations were reported to the regulators, with a daily average of 356 reports – an 8% increase compared to 331 daily reports in 2020. The increased enforcement was accompanied by further efforts to undermine the new regulations. For example, a €14.5 million fine related to data storage was rejected.
The sharp rise in fines is related mainly to the strict regulations driven by the Schrems II ruling passed by the European Court of Justice in July 2020. This ruling invalidates the so-called “Privacy Shield” between the USA and EU. This agreement regulated the issue of intercontinental data transfer, but the ruling found that it does not provide Europeans with sufficient protection against tech company surveillance. This actually set a higher threshold for transferring personal data, inter alia demanding that organizations create a comprehensive mapping of their transfers and of the legal and practical risks that they entail. Since the ruling was passed, companies exporting data from the continent are exposed to multiple fines and damages claims.
The GDPR, which entered into force in May 2018, defines the manner in which sites – unrelated to their headquarters – compile and retain personal details about the users. Violation of privacy or transparency rules is exposed to fines of up to 4% of the annual turnover of the violating company. Beyond the obligation to protect user privacy and report breaches, companies are required to provide users access to all of their personal details. This requirement also includes the “right to be forgotten” (RTBF), i.e. the right to demand the companies that compiled information – to delete it entirely.
The situation in Israel in this regard is glum, considering the Privacy Protection Law was not significantly updated over the past 40 years. GDPR regulations are not valid in Israel, exposing its residents to the data compilation efforts conducted by the tech giants.