Supervisory authorities for personal data protection across Europe are gaining in confidence and capacity, which is reflected in the statistics on penalties for violations. More and more case-law on interpreting GDPR requirements has been collected from the prosecution of tech giants with cross-border services, and it is used with increasing skill. Also, the statistics strongly indicate a shift in the supervisory focus toward artificial intelligence and machine learning.
Trends in fines
In the second half of 2022, the European data protection supervisory authorities imposed a total of 280 fines totalling around €742 million. The year 2023 is unlikely to show a downward trend in fines; for example, the total amount of fines in January was €396 million. In total, data controllers had been fined €2.36 billion for GDPR breaches by the end of 2022.
The sectoral breakdown of the total number of data protection breaches has not changed. The sectors most fined are commerce, media and telecommunications, financial services, health care, and the public sector. This is understandable, as these are inevitably the sectors where the most personal data is used.
It is also interesting to see the statistics on the total number and amount of GDPR fines imposed by countries. It is clear from these statistics which countries are holding accountable the European branches of global tech companies the most (for example, Ireland, 23 fines and €1.3 billion since 2018; Spain, 594 fines and €58 million since 2018).
Some examples from the second half of 2022
Instagram Meta Platforms, Inc.
Meta's subsidiary Instagram was fined €405 million by the Irish data protection authority in September, making it the second largest fine so far, just below the €746 million fine received by Amazon in 2021.
The investigation was launched in 2020, and final conclusions were reached in September 2022, thanks to third-party hints. The company had allowed children aged 13-17 to use business accounts. These allow access to a minor's email address and phone number. In addition, the accounts of minors were not set to private by default but could be viewed by the public in some cases.
That is a little more than €405 million in school fees just for learning the principles of privacy by design and privacy by default.
Meta Platforms Ireland
In November, the Irish DPA fined Facebook's parent company Meta €265 million for inadequately implementing information security measures to protect user data.
The data protection authority launched an investigation following news that more than 533 million users' data had been found online. The data was found on a hackers' website and reportedly included names, Facebook IDs, phone numbers, locations, birth dates, and email addresses of people from more than 100 countries. Meta said the data had been "data scraped" from Facebook using tools designed to help people find their friends via phone numbers, using search and contact import functions.
The focus is shifting to AI
European data protection supervisors continue to try to reduce the profitability of generating irregular business models by making them expensive through fines. The statistics strongly indicate a shift in the supervisory focus toward artificial intelligence and machine learning and the usage of personal data to train AI. It should also be noted that discussions are ongoing in the European Union on a possible partial ban on facial recognition technologies.
Does your company need a DPO?
Hedman data protection experts can help you to decide whether your organisation specifically must appoint a data protection officer or, in the absence of such an obligation, whether it would be beneficial to do so due to the profile of your company and the area in which it operates.
If an organisation needs to appoint or voluntarily wishes to appoint a data protection officer to mitigate risks, but the workload is relatively small, outsourcing a DPO should be considered.
