The European Union’s (EU) General Data Protection Regulation (GDPR) has been in effect since May 2018. The law’s goal of protecting EU citizens’ personal information and privacy seems to be coming into fruition. In the past, the EU has issued steep fines for GDPR violations, even when there was no data breach. Under the GDPR, regulators can issue fines up to four percent of an organization’s global revenue and can be costly. It is important to remember that this law can reach organizations outside of the EU if they offer goods and services to EU citizens. As such, it is time for all organizations subject to this law to take sufficient GDPR compliance steps in order to remain compliant. Avoiding these penalties and business interruptions is crucial, especially since other countries are joining the cause of implementing stricter consumer privacy laws.
Two Noteworthy GDPR Fines
Two recent GDPR fines stand out because they further carve out what behavior is unacceptable under the law. On Aug. 5, 2020, the data protection agency in France (the CNIL) issued a fine against shoe retailer Spartoo for 250,000€. This was significant because it was the first CNIL fine to make it to the enforcement stage. The violation and concluding fine was because the company was fully recording all customer service calls and claimed this was for training purposes. After investigation, the CNIL concluded this recording practice was excessive due to the volume of recordings and multitude of information. Additionally, the training supervisor only listened to a small fraction of these recorded calls, which often contained personal identifiers and financial data. The CNIL also found that Spartoo did not acceptably secure the data. In addition to the fine, the agency issued an injunction with a daily penalty if the company delayed compliance. This is a key GDPR enforcement action because it further enumerates unacceptable data processing activities and puts companies on notice to review their training programs to ensure they do not obtain and retain excessive and unnecessary consumer data.
The second noteworthy fine took place in Germany against H&M, a well-known global clothing retailer. In October 2020, the data protection authority in Hamburg fined H&M in the amount of 35,258,708€ after an internal data breach divulged that the company was recording and storing private information about their employees dating back over five years. These employee profiles contained unusual data like religious beliefs, medical information, vacation details, and family issues. All of this information was available to company managers overseeing the customer service center in Germany. The data protection authority concluded that this was an extreme violation of employee privacy rights and there was no valid reason to collect and distribute this information. H&M apologized to the affected employees, offered monetary compensation, and implemented new training protocols for management to follow. The fine was significant because it was the largest to date resulting from an internal breach and alerted organizations that covertly collecting information of this nature is inappropriate.
Other Significant Enforcement Actions
Other notable GDPR fines in 2020 include the following:
- Two fines against Google by Sweden for 7 million euros and Belgium for 600,000€. Both resulted from the site failing to take down personal data after consumers requested it. In Belgium, Google tried to argue that this was under the jurisdiction of Google US, but this was shot down as the agency ruled that all Google data controllers are one entity and this loophole will not allow liability avoidance.
- Denmark fined the Arp-Hansen Hotel Group 147,675€ for failing to delete the data of past guests, and which was no longer needed, from their data systems.
- The Netherlands fined the Royal Dutch Tennis Association 525,000€ after the organization sold their members’ personal data to sponsors, concluding that they had no legitimate business interest in these sales.
2021 and Beyond
2020 has been important for GDPR enforcement. As of October 2020, the running total of companies who incurred major fines levied this year is 18. The large H&M fine illustrates that internal breaches will be treated seriously and that employers cannot indiscriminately put information in employee profiles. All of the other fines discussed emphasize the trend of data protection agencies becoming more proactive about consumer privacy in order to prevent breaches and limit fallout in the event that one occurs. As we move into 2021, more decisions will surely shed light on interesting scenarios that result in GDPR non-compliance. Organizations should continue to monitor these decisions and new fines, especially when they address new behaviors. Best practices include having sound information governance programs that do not promote unnecessary collection or retention of personal data and honoring consumer requests.