Fines for Data Protection Violations in the EU – What is the Way Forward?
The General Data Protection Regulation (GDPR) has been in force since May 2018. At first, the data protection authorities in the EU countries were slow to impose fines. Companies were thus granted a grace period to integrate the legal requirements into their internal processes.
This changed at the end of 2018. The number of fines imposed and their amount increased significantly.
The authorities even imposed some fines which were close to the maximum amount of EUR 20 million or 4% of annual worldwide turnover. Although not all of the cases described below apply to email marketing, it should be noted that the financial risks of data breaches have increased significantly in Europe.
In the UK, the Marriot hotel chain had to accept a record fine of EUR 110 million at the end of 2018 for compromising millions of sets of customer data.
In France, Google was fined EUR 50 million in 2019. According to the French data protection authority, Google lacked effective consent for the use of its customers’ data because the company had not provided sufficient information about the exact use thereof.
In Italy, a fine of almost EUR 28 million was imposed on the telecommunications company TIM in 2019 for, among other things, not having consent for advertising purposes, in this case, telephone advertising.
The most recent example is the record fine of EUR 35 million imposed in October 2020 in Germany on the fashion group H&M. The group had systematically collected information about employees’ private lives, created profiles, and used them for various measures and decisions in the employment relationship.
But there is also a corrective balance for the decisions of data protection authorities. For example, the courts throughout Europe decide on the legality of fines when the companies concerned take legal action against them. A current example is the fine of almost EUR 10 million imposed in Germany on the telecommunications company 1&1, which the Bonn Regional Court reduced to less than 10% of the original amount, namely to EUR 900,000. The judges did not question the violation of data protection, per se. At the time, 1&1 had considered it sufficient for authentication purposes in the call centre to simply provide the name and date of birth of the person concerned in order to be given a telephone number (of a third party!). They found, however, that the fine of millions of Euros was “unreasonably high”.
The judgement will undoubtedly lead to an increased wave of lawsuits against fine notices in the future, especially if they involve painful penalties for companies. It remains to be seen whether, in the coming years, courts will tend to reduce fines and thus also fundamentally change the decision-making practice of data protection authorities. For the CSA, the 1&1 ruling, in any case, gives cause to continue to monitor closely the decisions of the authorities and the courts.