GDPR fines issued so far: an update

Natasha Jordan provides an update on fines levied under the GDPR.

Action taken by the ICO prior to GDPR's introduction

The Information Commissioner's Office (ICO) delivered a number of six-figure fines for data protection breaches under the Data Protection Act 1998 (DPA 1998).  The amount of the monetary penalty determined by the ICO under the DPA 1998 was limited to a maximum of £500,000.

The ICO issued the maximum £500,000 fine to Equifax in September 2018 for failing to protect the personal information of up to 15 million UK citizens affected by a 2017 cyber attack on the credit reference agency. The investigation was carried out under the DPA 1998, rather than GDPR, as the failings occurred before the stricter laws came into force in May 2018.

The ICO also fined Facebook £500,000 in October 2018 (under the DPA 1998 as the breach occurred before GDPR came into force) for the social network's role in the Cambridge Analytica scandal. The information of an estimated 87 million Facebook users was improperly shared with Cambridge Analytica political consultancy through a quiz that collected data from participants and their friends. The investigation found Facebook guilty of allowing application developers access to user information without sufficient consent, failing to secure personal information by making suitable checks on the apps and developers using its platform, and taking inadequate remedial action once the misuse of data was discovered.

In December 2018 the ICO dished out a fine of £200,000 against Tax Returned Ltd for a serious breach of regulation 22 of the Privacy and Electronic Communications Regulations (PECR). Tax Returned Limited, sent 14.8 million unsolicited direct marketing text messages without valid consent through a third party service between July 2016 and October 2017, an investigation found. Although some of the consents were received through generic third party consent forms, the ICO found that the wording of the policies was “not clear enough” and that Tax Returned “was not listed on most of those privacy policies”. This incident was not investigated under the current GDPR as the breach occurred before the regulations came into force.

Action taken by the ICO since GDPR came into force

The GDPR came into force in May 2018, introducing a number of significant changes including new rights for people to access the information businesses hold about them, obligations for better data management for businesses, and a new regime of fines and enforcement actions. The ICO now has the power to impose a fine of up to €20million or four percent of global turnover, whichever is greater. So far there have been no fines under GDPR made by the ICO, apart from the punitive fines under the Data Protection Act 2018 for failure to pay the data protection fee.

In October 2018 the ICO issued its first GDPR enforcement action by way of a notice to a Canadian data analytics company, AggregateIQ Data Services Ltd, as part of its ongoing investigation into the company’s use of personal data for analytics and advertising. The notice requires AggregateIQ to "cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise, for the purposes of data analytics, political campaigning or any other advertising purposes". Failure to comply with this notice could lead to a substantial fine. AggregateIQ is understood to be appealing against the notice.

In November 2018 the ICO fined a number of organisations across a number of sectors for non-payment of the data protection fee. Since May 2018 every organisation or sole trader which processes personal information is required to pay a data protection fee to the ICO, unless it is exempt. The cost of the data protection fee depends on organisation size and turnover. There are three tiers of fee ranging from £40 and £2,900.

Action taken by regulators in other EU member states

Germany’s regulator imposed a fine under the GDPR in the sum of €20,000 for a violation by a social media company of its obligation to ensure data security of processing of personal data. The company had contacted the German regulator to notify it of a data breach following a hack. Email addresses and passwords of approximately 330,000 users were stolen and published by the hacker. It was found that the company did not encrypt its customers’ passwords, instead storing them in plain text, which constituted a violation of Art. 32 GDPR.

Austria’s regulator issued a fine under the GDPR for an organisation that had installed a CCTV camera in front of its establishment but which also recorded images from a large part of the pavement. The Austrian regulator fined the company €4,800 for monitoring a public space without proper transparency and notice.

Over the coming months, more GDPR enforcement action is expected to be issued by the ICO. It is vital that organisations ensure ongoing compliance with all aspects of GDPR to avoid substantial fines.

If you have any questions or would like to know more about our update, please contact Natasha Jordan (Solicitor) on 0161 214 0663, or natasha.jordan@weightmans.com. The Weightmans commercial team advises a wide range of clients from various sectors, with particular expertise in IT, software, e-commerce, manufacturing and retail.

Share on Twitter