Note: All GDPR fine amounts listed in euros in source data are converted to dollars at a 0.97 US dollar exchange rate (effective as of September 26, 2022).
Overview
The General Data Protection Regulation (GDPR) is the European Union’s law on data protection and privacy, proclaimed as the strongest data protection law to date by its own website. First proposed in 2012, the GDPR was adopted in April 2016 and went into effect in May 2018. Because the GDPR applies to any company processing personal data on consumers within the EU and other participating countries such as the UK, many companies based outside the EU must be GDPR-compliant to avoid fines.
Over the last two years, GDPR fines have increased in both frequency and cost, with fines imposed on companies operating in a broad range of industries, including Big Tech US giants like Amazon, Meta, and Google. Just this month, Ireland fined Meta US$394 million due to concerns over privacy security for Irish teenagers, according to Financial Times. On September 26, UK officials fined TikTok US$29 million for “failing to protect children’s privacy,” according to TechCrunch.
Background
GDPR replaced the 1995 Data Protection Directive, which was built on Organisation for Economic Co-operation and Development guidelines for protecting sensitive consumer information. Although it was binding for all of the EU, the directive suffered from fragmented implementation across the EU member states, legal uncertainty, and public perception of risk, according to Recital 9 from the GDPR regulation. To address those issues, the GDPR included three main changes:
1. Streamlined implementation: GDPR is applied equally to all consumers in EU member states and other participating countries.
2. Private right of action: Affected EU consumers can sue companies and seek damages for infringement of GDPR guidelines.
3. Penalties tied to company revenue: Organizations that fail to comply with certain articles can receive a fine of up to 4 percent of global annual revenue or up to €20 million, whichever is higher. Lesser violations can be fined up to 2 percent of global revenue. Other enforcement tools include warnings, audits, bans on processing, and withdrawal of GDPR certifications.
Initially adopted in 2016, the EU gave companies a two-year grace period wherein they could learn how to ensure compliance to avoid fines and investigations. While information on GDPR enforcement actions is not always released to the public, the available data on penalties reveal an increasing trend over the first three years of the law, with penalties leveling out since 2021.
While a few major fines have been imposed on Big Tech companies such as Amazon and Meta, most GDPR fines are being doled out to European-based companies. Countries within the EU have taken different approaches to GDPR implementation based on their unique business environments. Spain, for example, has issued the highest number of fines (477) but has tended to limit the monetary value of the penalties, with fines totaling just over US$54 million. Ireland, in contrast, has issued only 16 fines, but their monetary value has been high (US$630 million in total). These discrepancies are related to the size of the companies located in these countries, as well as the history of data protection and concern from consumers in each country.
Among the Big Tech companies, Amazon, Meta, and Google have seen fines result from the GDPR, but none of these fines have hit the maximum amount (4 percent of global revenue). Amazon has only been fined once, but the penalty imposed on it ($726 million) was the largest fine reported under GDPR, representing 2.4 percent of Amazon’s global revenue in 2021. In contrast, the largest fines given to Meta and Google ($394 million and $88 million) have represented only 0.3 percent and 0.03 percent of their global revenues, respectively.
While GDPR fines have been imposed for different types of data privacy breaches, the top two violations are 1) non-compliance with data processing principles and 2) insufficient legal basis for processing data, according to the CMS Law GDPR enforcement tracker. Non-compliance with data processing principles involves violations of the basic principles of GDPR and is considered one of the most serious infringements. Amazon was cited under this violation for its $726 million fine. Insufficient legal basis for data processing is also considered a violation of GDPR basic principles and could include Article 82, which gives data subjects the ability to seek compensation for damages. Google has totaled $146 million in fines that cited Article 82, indicating that the company was held liable for damage to a consumer.
Why Is This Important?
One of the consequences of strict privacy regulation is the financial effect it has on small businesses. With fines now being issued regularly and more frequently than in previous years, small and medium-sized enterprises (SMEs) in Europe are having to stay alert to ensure that they avoid fines, particularly in countries like Spain where fines have been more frequent. During GDPR’s initial two-year grace period, reports from smallbusiness.co.uk showed that SMEs in the UK spent over 600 hours on average preparing to become GDPR-compliant. Globally, firms forecasted spending over US$1.4 million on costs associated with preparations for GDPR compliance, according to Veritas Tech.
Even with all that time and money spent, at the beginning of 2018, IT Governance reported that only 29 percent of EU-based businesses were fully GDPR-compliant. And just in August 2021, a survey of 1,110 SMEs conducted in the UK by REaD Group revealed that over half were not adhering to GDPR’s legal requirements, even though 85 percent said they were familiar with GDPR.
Since the GDPR went into effect, the US has proposed the first comprehensive federal data privacy and protection bill, which is currently being considered in the House of Representatives. As noted in our previous Tech Digest, the US is considering implementing one of the GDPR features called “private rights of action,” which would allow US consumers to hold companies liable for data privacy breaches. Besides impacting Big Tech companies that rely on data tracking tools for targeted advertisements and content, the European experience shows that new privacy regulations could potentially impose considerable costs on small businesses in the US, too.
As we discussed in Share the Data: Overcoming Trade-Offs in Tech Regulation, the challenge is to find the right regulatory balance between improving consumers’ welfare while limiting data usage misconduct.
What Happens Next?
As the European nations (and the US) seek to support SMEs as major job creators and vehicles for economic advancement, countries will have to strike a balance between choosing to crack down on privacy breaches by issuing more fines and maintaining a business-friendly environment at the expense of consumers’ privacy. With pressure mounting on Big Tech companies to protect consumer data, regulators are hard pressed to hold them accountable. With the growing demand for accountability, countries will be asked to balance equal enforcement of the regulation to all companies, while ensuring that Big Tech are held sufficiently liable for data privacy violations.