GDPR Fines: Are They Working?

Written by

Since its implementation in May 2018, the General Data Protection Regulation (GDPR) has been instrumental in shaping data privacy and protection practices worldwide. In the first few years following its enforcement, regulatory bodies diligently monitored compliance.

As organizations strived to comply with the stringent requirements of the regulation, several high-profile cases emerged, including the significant data breach by British Airways that exposed the personal information of 500,000 customers, exposing the vulnerabilities and non-compliance of businesses in safeguarding personal data. Regulators took swift action, imposing substantial fines in the millions and penalties on companies found guilty of violating GDPR provisions.

In September 2022, the UK’s Information Commissioner’s Office (ICO) announced its intention to fine TikTok £27m for breaches of the UK GDPR law. It accused the social media network of collecting personal data from under 13-year-olds without parental consent, failing to provide proper information to users in a concise, transparent and easily understood way, and processing special category data without legal grounds to do so.

On April 4, 2023, the ICO revealed that the actual fine would be £12.7m, less than half of the sum originally anticipated and just 0.001% of Tiktok’s 2022 revenue. This is despite the maximum possible fine being 4% of global annual turnover.

In fact, since the introduction of GDPR, there have been very few fines issued by the ICO. Some EU countries have issued more, although many of these have been very low value. Even the largest fines have typically been less than 0.01% of annual turnover – for instance, in 2019, the French data protection authority (CNIL) fined Google €50m for lack of transparent information, and in 2021, Amazon was fined €746m by the Luxembourg National Commission for Data Protection (CNPD) for breaches related to targeted advertising. Meta was also fined €405m by the Irish Data Protection Commission (DPC) in 2022 for breaches related to the handling of children’s personal data.

It’s hard to imagine such comparatively small penalties serving as an effective deterrent to tech giants with vast financial resources. A cynic might even think that the armies of privacy lawyers being hired within these organizations are only there to help the companies find ways to avoid the rules and defend against enforcement action rather than helping them comply with best practices.

However, where the threat of fines is ineffective, the risk of bad PR and the resulting erosion of public trust may give some organizations at least a brief pause for thought. As data breaches continue to make headlines, there is a growing sense that major tech corporations cannot be trusted to protect individuals. TikTok, in particular, has faced scrutiny over its data protection practices, and some governments have already banned staff from using TikTok due to concerns about data privacy. Google has also suffered from being compared negatively on privacy matters to Apple, a brand with a strong reputation for protecting users’ rights.

While regulators could (and arguably should) increase fines for major corporations that breach the regulations, ultimately, it will be the public that makes big tech take notice. As long as people continue to use these services, tech giants will leverage their data as much as they can (or can get away with). Real change will happen only when users vote with their feet and choose alternative providers. It is up to individuals to ask themselves how much they care and if they are willing to choose a different social media platform, search engine or online shop. For many, it is a tricky balance.

What’s hot on Infosecurity Magazine?