TОР-7 fines of 2022 for violation of the GDPR rules

Is 1,000 EUR a lot for a business? What about 100,000 EUR? And 405,000,000 EUR? This is the amount of a fine paid by a well-known company for violating the rules of the European General Data Protection Regulation (the GDPR). In this article, you will learn about the top 7 largest fines of 2022 and the personal data practices that should be avoided in your business.

The GDPR stipulates that European supervisory authorities are authorized to impose fines of up to 20,000,000 (twenty million) EUR or up to 4% of the company’s total global annual turnover for the previous financial year, whichever is higher (ouch). What this amount may be in practice is examined below.

7th place

Who: REWE International AG

When: January 14, 2022

Where: Austria

How much: 8,000,000 (eight million) EUR

For what: Lack of legal basis for data processing

The list opens with a fine imposed on REWE International, a retail company (PENNY, BILLA, BIPA and other stores) for careless handling of customer data that participated in the joint customer loyalty program of Rewe, OMV and other partners – jö Bonus Club. The program collected personal data of customers without their consent and used it for marketing purposes. REWE International announced its intention to appeal the decision.

In short: 

  • REWE International does not accept liability because the loyalty program is provided by jö Bonus Club, which is operated by Unser Ö-Bonus Club GmbH, a legally and economically independent subsidiary, and in REWE International’s opinion, the parent company should not be held responsible for the data processing in this case; 
  • this is the second sanction in two years (in the first case, jö Bonus Club illegally used millions of members’ data for profiling purposes and was fined 2,000,000 EUR).

The main lesson: define roles between companies, clearly delineate responsibilities, and don’t hide the ways in which your customers’ data is transferred from you. 

6th place

Who: Google LLC

When: May 18, 2022

Where: Spain

How much: 10,000,000 (ten million) EUR

For what: Lack of legal basis for data processing

Google was fined so heavily for transferring data to third parties without a lawful basis (Article 6 of the GDPR) and for obstructing users’ right to delete their data (Article 17 of the GDPR).

Google transferred personal data to the Lumen project, based at Harvard University. The project was launched in 2002 to study requests related to the removal of content from websites in the United States and abroad. The data collected could be made available to researchers and other interested parties. 

Users of platforms operated by Google, such as YouTube or Google Drive, could request the removal of content about themselves on these platforms through various contact forms provided by Google. However, the personal data of users (their identity, email address, reasons for takedown and website URL) using these forms were automatically transferred to the Lumen project and such users had no possibility to object to this transfer, as it was a condition of using the form. 

For this reason, it was found that the transfer of data by Google to the Lumen project was imposed on users and therefore carried out without their valid consent. Google did not provide users with sufficient opportunity to exercise their right to have their data deleted. 

In assessing the fine, the supervisory authority took into account the following aggravating factors:

  • the data was not only disclosed, but also transferred to a third country without the users being able to object to it, depriving them of control over their data; 
  • the transfer took place over a very long period of time; 
  • a large number of individuals were affected, and in some cases sensitive data was processed.

The main lesson: have a legal basis for each processing, do not hide from users to whom their data is transferred, and provide an opportunity to actually exercise their rights. 

5th place

Who: Meta Platforms Ireland Limited

When: March 15, 2022

Where: Ireland

How much: 17,000,000 (seventeen million) EUR

For what: Insufficient technical and organizational measures to ensure information security

The decision is based on 12 notifications of personal data breaches that occurred between June 07, 2018 and December 04, 2018. Although the Irish supervisory authority found that the information and supporting documentary evidence provided by the company could be considered similar to industry best practices and the state of the art, Meta Platforms did not take appropriate technical and organizational measures that would allow it to easily demonstrate the security measures it had put in place in practice to protect the data of EU users in the context of these 12 breaches. As the company itself stated: “This fine relates to record-keeping practices from 2018, which we have since updated, and not to a failure to protect people’s information.”

As a result of the review, the Irish supervisory authority found a violation of Art. 5(2) (violation of the principle of accountability – the ability to demonstrate one’s own compliance) and Art. 24(1) (availability of technical and organizational measures to ensure information security) of the GDPR.

The main lesson: The GDPR is more than a set of documents. Privacy rules must be actually implemented in the company, not just stated on paper.

4th place

Who: Clearview Al Inc.

When: October 17, 2022

Where: France

How much: 20,000,000 (twenty million) EUR

For what: Insufficient fulfillment of data subjects’ rights

This year, Clearview Al Inc. received four fines, three for 20,000,000 EUR from France, Italy and Greece, and one for 9,000,000 EUR from the United Kingdom. Clearview Al collects photos from many websites, including social networks, and offers access to its database of images (as many as 20 billion!) in the form of a search engine. In this system, you can search for a person based on biometric data extracted from publicly available photos and videos (they can be viewed without logging into an account). The American company offers this service to law enforcement agencies to identify criminals or victims of crime, which the vast majority of people in this database are unaware of. 

Facial recognition technology is used to query a search engine and find a person by their photo. To do this, the company builds a “biometric template,” which is a digital representation of a person’s physical characteristics (in this case, face). According to the GDPR, such data is particularly sensitive because it is associated with physical identity and allows for unique identification.

The French supervisory authority found that:

  • the processing of personal data was unlawful, as the collection and use of biometric data were carried out without a lawful basis (Article 6 of the GDPR);
  • the company restricted the exercise of data subjects’ rights through their requests, for example, by limiting the number of requests for which data can be requested, ignoring some requests or incompletely responding to them (Articles 12, 15 and 17 of the GDPR);
  • the company did not respond to the official notification of the French supervisory authority to cease the unlawful actions and was reluctant to cooperate during the investigation (Article 31 of the GDPR). 

The main lesson: the GDPR applies not only to companies registered in Europe; you need to know what categories of data your company handles and whether there are special rules for them; you need to cooperate properly with the supervisory authority during the investigation.

3rd place

Who: Meta Platforms Ireland Limited

When: November 25, 2022

Where: Ireland

How much: 265,000,000 (two hundred and sixty-five million) EUR

For what: Insufficient technical and organizational measures to ensure information security

In April 2021, the media reported on the leak of personal data of Facebook users. The phone numbers, emails, full names, dates of birth, and other personal information of 533 million users became available on the hacker platform. 

Personal data of the platform’s users were extracted from public profiles in 2018 and 2019 by means of scraping, which is the automated collection of data from a website or app. In this regard, the Irish supervisory authority (the DPC) analyzed and evaluated tools designed to find Facebook friends by phone numbers using the search and contact import functions:  Facebook Contact Importer, Messenger Contact Importer, Instagram Contact Importer, and Messenger Search.

As part of the investigation into Meta Platforms’ compliance with the principles of privacy by design and by default, the DPC found violations of Article 25 of the GDPR: 

  • the lack of appropriate measures led to the fact that the relevant Facebook functionality could be used by attackers to create datasets rather than to search for known Facebook user profiles; although Meta Platforms introduced rate limits and bot detection measures to mitigate the risk, these measures were not sufficient to reduce the risk of fake account activity and data collection by bots;
  • the lack of proper measures allowed attackers to use the relevant functionality to find out whether random combinations of numbers and letters correspond to valid phone numbers and email addresses, and if so, to find out the identity of the Facebook user to whom this data belongs;
  • the search settings for users of the relevant functionality were automatically set to include the phone number and email address of each Facebook user, even if the data subject did not provide his or her phone number for search purposes, i.e. Meta Platforms made this personal data available without the data subject’s intervention to an indefinite number of individuals. 

The main lesson: when implementing a new feature in your services, you need to take care of the privacy of end users, including the technical and organizational security measures taken and the processing of only necessary data; attention should be paid to the appropriateness and proportionality of measures, state of the art, cost of implementation, specific risks for users, nature, scope, context and purposes of the processing.

2nd place

Who: Meta Platforms Ireland Limited

When: December 31, 2022

Where: Ireland  

How much: 390 000 000 (three hundred and ninety million) EUR

For what: Non-compliance with general data processing principles 

The end of 2022 was marked by fruitful work of the DPC for the privacy practice and one of the top 3 largest fines. In two decisions of the DPC, Meta Platforms was fined for non-compliance with the rules on personal data protection of its two well-known services – Facebook and Instagram. Facebook received a fine of EUR 210,000,000 and Instagram – EUR 180,000,000.

On the eve of May 25, 2018 (the date of entry into force of the GDPR), Meta Platforms changed its terms of service (Facebook’s Terms of Service and Instagram’s Terms of Use), which concerned, in particular, behavioral advertising. The GDPR violations included, among other things, the following:

  • Meta Platforms had no legal basis for processing personal data for the purposes of behavioral advertising. The new terms of service did not rely on the consent of users, but on the performance of a contract between Meta Platforms and the user (Article 6(1)(b) of the GDPR) for most personal data processing. In order to use (or continue to use) Facebook and Instagram, the user was obliged to agree (by clicking a single “I Agree” button) to the updated terms of service and behavioral advertising as part of the service.
  • In fact, as the European Data Protection Board (the “EDPB”) noted, behavioral advertising was not an essential or core element of the services and was not objectively necessary for the performance of the contract between Meta Platforms and the user.
  • In addition, Meta Platforms violated the obligations of transparency and notification of users in accordance with Articles 5(1)(a), 12(1) and 13(1)(c) of the GDPR. The company failed to explain to users for what purpose and on what legal basis their personal data is processed.

The main lesson: each processing for a specific purpose requires a lawful basis, you should not try to encompass irrelevant data processes with one basis; the GDPR articles are interrelated, violation of one provision often leads to violation of the main principles.

1st place

Who: Meta Platforms Ireland Limited

When: September 05, 2022

Where: Ireland (final decision made by the EDPB)

How much: 405 000 000 (four hundred and five million) EUR

For what: Non-compliance with general data processing principles 

Instagram received the largest fine in 2022 for violating the privacy of its young users. The GDPR pays special attention to the protection of children’s privacy. The app on the platform allowed teenagers aged 13-17 to create business accounts that provide access to more analytical data on how other users interact with the profile. 

According to recital 38 of the GDPR, special safeguards should be applied in cases where children’s data is used to create user profiles, as children may be less aware of the risks, consequences and safeguards, as well as their rights in connection with the processing of their data.

As a result of the case, it was found that the social network’s unlawful actions potentially affected the rights of millions of teenagers and the company violated a number of GDPR articles: 5(1)(a), 5(1)(c) on the principles of data processing; 6(1) on the grounds for data processing; 12(1) on transparency and notification of data processing; 24 on the controller’s liability; 25(1) and 25(2) on the protection of personal data by design and by default; 35(1) on conducting an inadequate data protection impact assessment. In particular:

  • Instagram business accounts have made contact information of young users (mobile phone numbers and email addresses) publicly available through their profile page; 
  • children were not made aware of the fact that their data would be made public and the risks involved;
  • the default settings of the minors’ accounts were set to “public”, which made their social media content publicly viewable unless they changed their account settings;
  • Instagram failed to implement appropriate policies given the potential harm that the platform could cause to children; 
  • the processing (publication of numbers and emails) could not be carried out either as necessary for the performance of a contract under Article 6(1)(b) of the GDPR (the processing cannot be considered specifically necessary for the performance of a contract with a child) or on the basis of legitimate interest under Article 6(1)(f) of the GDPR (the processing was either not necessary or, if considered necessary, it did not pass the balancing test required for determining the legitimate interest).

The main lesson: the GDPR establishes special rules for processing children’s data and violation of such rules can lead to a particularly large fine; determining the correct basis for processing is the core of a company’s work; compliance with the principles of privacy by design and by default is the responsibility of the controller.

Conclusion

So many zeros can make you dizzy. But when dealing with personal data, you should keep a cool head and know your product well. Violation of the GDPR rules does not always result in a fine, and therefore it is better to use a preventive mechanism – to consult with experienced lawyers, foresee possible investigation scenarios, prepare arguments and evidence in advance. Such a power move will shed light on all the risky aspects of practices related to personal data processing, or will help to properly get out of a potentially damaging situation when working in the European market.

    Your question to IT lawyers


    Subscription