The news that Facebook is facing a fine in the USA from the Federal Trade Commission in the sum of $5billion, in relation to the access of information by Cambridge Analytica, reminds us of the potential fines introduced under the GDPR. As has frequently been reported on, the maximum fine under the GDPR if €20million or 4% or worldwide turnover, whichever is higher.
In the UK, Facebook has already been issued with a fine by the ICO in relation to the Cambridge Analytica investigation but as fines prior to GDPR were capped at £500,000, the ICO was only able to issue a fine of £500,000.
To date, the ICO has not issued a fine for a breach of the GDPR. However, fines have started to be issued by other European data protection authorities. As we wait to see the approach the ICO is going to take and who will be the recipient of the first GDPR fine from the ICO, we have taken a look at the fines raised to date across the EU and set out a few highlights below:
- France - the data protection regulator, CNIL, fined Google €50million for a failure to provide transparent information regarding ads personalisation.
- Poland - a digital marketing company has been fined €220,000 for a failure to meet the Article 14 privacy notice requirements.
- Germany - a chat platform was hacked and passwords and email addresses of users were published online resulting in a fine of €20,000.
- Austria - a fine was issued against an entrepreneur due to the use of CCTV outside his establishment which amounted to large scale processing in violation of the GDPR as there was no transparency and resulted in a fine of €4,800.
- Portugal - a hospital was fined €400,000 after an inspection found that the hospital was in breach of the Article 5 principles of data minimisation, and integrity and confidentiality.
- Denmark – the Danish data protection authority fined a taxi company €180,000 for failure to comply with the principles of purpose limitation, data minimisation and storage limitation.
The breaches and levels of fines are wide-ranging and it is no surprise that the highest fine has been imposed on Google. The fines deal with hacking, breaches of the key principles established under the GDPR and a failure to meet transparency requirements. The issues raised in these fines are not new but the potential for increased fines certainly focusses the mind.
Recent data breaches in the UK have been reported in the news and a number of complaints have been made to the ICO. We therefore wait to see whether these result in large fines being issued by the ICO and whether the ICO is influenced by the fines issued to date by other EU countries. Whilst the Information Commissioner Elizabeth Denham was keen to stress last year that the ICO preferred the “carrot to the stick” approach, fines are inevitable and it is only a matter of time before we start to see these being issued. Indeed, speaking at a recent conference, Elizabeth Denham hinted that there will be fines issued in the near future so watch this space.