It’s been three years since the introduction of Europe’s data privacy and security law on 25 May 2018.
GDPR governs the way organisations that operate within the EU can use, process and store consumers’ personal data.
At first smaller firms and start-ups feared they did not have adequate resources to fully comply with its rules.
Other critics suggested the legislation relied too much on consumers knowing and understanding their rights.
Since its launch, hundreds of millions of euros worth of fines have been handed out by information commissioners around Europe.
Offences have included retailers misrepresenting the way they use CCTV cameras to monitor employees, and companies not complying with the “right to be forgotten” law.
The legislation replaced older data protection laws, and while it was drafted in Europe, regulators can fine organisations anywhere in the world which target or collect data in the EU.
There are two tiers of penalties, with a maximum of 20m euros (£17.29m) or 4% of global revenue.
The money collected is used to fund public services. Here are the biggest fines recorded so far:
- British Airways (211.7m euros)
British Airways was fined in 2019 after users of its website were directed to a fraudulent site.
Through the data breach, hackers were able to harvest the personal data of about 500,000 consumers.
The leaked data included login and travel booking details, names, addresses and credit card information.
The Information Commissioner’s Office (ICO) said the hack was the result of British Airways’ negligence.
Alex Cruz, the airline’s chairman and chief executive, said it was “surprised and disappointed” in the ICO’s initial findings.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft, he said.
“We apologise to our customers for any inconvenience this event caused.”
- Marriott International Hotels (110.3m euros)
British hotel chain Marriott International was fined in 2018 in relation to a hack dating back to 2014, but not uncovered until four years later.
The hack exposed the personal details of about 300 million customers including credit card information, passport numbers and dates of birth.
Following an investigation, the ICO ruled that Marriott had failed to do enough to safeguard its systems.
- Google (50m euros)
Google was one of the first companies to be hit by a substantial GDPR fine.
It was fined after a French regulator ruled that the company had failed to make its consumer data processing statements easily accessible to its users.
The tech giant was also found guilty of not seeking the consent of its users to harness their data for targeted advertising campaigns.
- H&M (35.3m euros)
H&M was fined by German regulators in 2020 after it was found to have been secretly monitoring hundreds of its employees.
If workers took holiday or sick leave, they were required to attend a meeting with senior staff at the retail giant on their return.
These meetings were recorded, and made accessible to H&M managers without the knowledge of staff.
The data collected from the interviews was used to make a “detailed profile” of workers, which then influenced decisions concerning their employment.
- Amazon (35m euros)
Amazon was fined by a French regulator over cookie consent violations.
It was found that the tech giant had deposited cookies on users’ devices without their permission.
It also failed to provide enough information about the cookies, or how visitors to its French website could refuse them.
Where does GDPR money go?
In the UK, all penalties handed out by the ICO are paid into a central government fund which belongs to the Treasury.
The Consolidated Fund is the government’s general bank account at the Bank of England.
It was established in 1787 with the purpose of being “one fund into which shall flow every stream of public revenue and from which shall come the supply of every service”.
This means that just like tax revenue, GDPR fines are used to fund public services.
The majority of other countries in the EU use a similar structure.
Rob Elliss, from tech company Thales, says that despite success so far in handing out substantial fines, GDPR will face more challenges in a post-Covid world.
“When GDPR was first drafted, the legislation did not necessarily account for the adoption of new technologies and rapid migration to the cloud brought on by the pandemic,” he said.
“In this remote working era, businesses needed to digitally transform almost overnight just to keep the lights on, without necessarily incorporating security in the design of new systems and processes.”