GDPR three years on; reflections on the largest fines so far

25 May 2021 marked the three-year anniversary of the introduction of the General Data Protection Regulation (GDPR) – what a busy three years it has been! GDPR was introduced as Europe’s solution to both harmonising and regulating personal data privacy and security law amongst EU member states.

The GDPR was incorporated into domestic UK law through the Data Protection Act 2018 and, following the transition period, the UK GDPR sits alongside this. Most businesses will now see GDPR as a familiar day to day responsibility, understanding obligations in respect of privacy for personal data and compliance with data processing obligations and any applicable exemptions.

One focus of the European Commission in implementing the GDPR was to hold organisations accountable and to streamline enforcement, carried out nationally, for breaches. Failure to abide by the GDPR may result in fines of up to €20 million or 4% of the organisation’s total worldwide annual revenue for the preceding financial year, whichever is higher.

Needless to say, not all businesses have got it right during the last three years. In fact, over 50% of the total number of fines for that period have been issued in the last year alone. Let’s have a look at some of the largest fines handed out:

1. Google received a £43.2m (€50m) fine in 2019 as a result of Google failing to make consumer data processing statements easily accessible and due to the failure of Google to seek user consent in advance. Google appealed; however, this fine was upheld.
2. H&M received a £32.1m (€35.3m) fine in 2020. This was due to their failure to comply with the transparency principles by monitoring their employees and not informing them of this.
3. British Airways was fined £20m in 2020 following hackers accessing leaked data, including login details, booking details, names, addresses and credit card information. Initially, the proposed fine for British Airways was over £180m as it was concluded that the data breach was due to British Airways’ negligence. However, this was reduced (without appeal) as a result of the economic impact of Covid-19.
4. Similarly, Marriott International Hotels was fined £18.4m in 2020 relating to a data hack that happened years previously. The personal data of around 300m customers (including approximately seven million in the UK) was leaked in the data hack reaching as far back as 2014, which included details such as credit card information, passport numbers and dates of birth. Initially the fine was estimated to be £99m, however this was reduced in a similar way to the fine for British Airways.

These fines generally have been handed out for one of the following reasons:

• Failure to comply with the transparency principles
• Lack of legal basis for data processing
• Not following the principles relating to the deletion of data
• Lack of implementation of adequate security measures.

What could the next three years bring?

Given the dynamic and international environment that we live in, data transfer and associated data protection will become ever more important, as will the enforcement principles surrounding data protection. It therefore seems that the following is likely (or is already underway) in the next few years:

• Inevitably organisations that receive fines will begin appealing on a case by case basis; this may be either against the fine in its entirety or to request that the fines are reduced. We have already seen this with the ICO’s fines for British Airways and Marriott International Hotels. This could create a significant volume of litigation involving the GDPR.
• The European Commission, in looking to achieve a uniform data protection and regulatory scheme, has recently approved standard contractual clauses (SCCs) which must be implemented in order to adequately protect personal data when transferring it out of the EEA. As a result of this, businesses will need to update the relevant agreements with any processors they use outside the EEA.
• Many more UK businesses will be required to appoint an EU representative if UK businesses deal with businesses or individuals in the EEA and/or monitor individuals in the EEA. This is to ensure compliance with the EU GDPR.
• The appointment of Data Protection Officers and specialists in data protection will become more imperative to organisations, especially as enforcement of the GDPR (and UK GDPR) by supervisory authorities becomes stricter and compliance is therefore more time consuming for businesses.
• Carrying out regular and detailed data protection audits will become more important for organisations to demonstrate compliance with the GDPR.