Do They Even Matter?—The 3 Largest GDPR Fines To Date

Cole PrudenData Protection, GDPR, Personal Data

For years now, the GDPR has been criticized for offering more bark than bite. As the fines stand, many mega-companies like Amazon and Google are simply getting away without a scratch.

All this has left us wondering, what are the 3 biggest GDPR fines so far, and do any of them actually matter?

Knowing the GDPR

Before we get to answering those questions, I would hope all of us are already familiar with the GDPR. But just to be safe, it’s important to know the official definition (1) as well as its objective (2):

The General Data Protection Regulation

  1. A regulation in EU law on data protection and privacy in the European Union and the European Economic Area.
  2. The primary objective is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.

Basically, the GDPR states the laws that dictate how personal data is used and stored in the EU. If you’re looking to learn more on the subject, be sure to check out our article Making GDPR Compliance Simple.

Just a Bump in the Road?

Now that we’re all up to speed, the other aspect of the GDPR worth nothing is the potential fines companies stand to receive for breaching it. Officially, the fine stands at up to 20 mil Euro or 4% of the company’s annual turnover for any rule breaking.

Even though that may sound like a lot to any mom-and-pop shops out there, for corporate goliaths like Amazon, Google, and H&M, the reward often times well outweighs the punishment. You see, the GDPR has been criticized for years now for dealing out fines that feel like a slap on the wrist at its best, and an incentive to continue breaching it at its worst.

1st Place Goes to Google France

Our first offender and the highest paid GDPR fine to-date goes to no other than Google, specifically, Google France.

In 2019, Google France was fined $57.8 million for its “lack of transparency, inadequate information, and lack of valid consent regarding ad personalization”. But what does that actually mean?

In summary, Google failed to provide enough information to users regarding consent policies and did not allow them enough control over how their personal data is processed. With those pesky consent policies out of the way, Google used people’s IDs just so they could spam them with unsolicited, tailor-made ads.

So, that sucks, but $57.8 mil is a lot, right? Well, considering Google’s global turnover in 2019 was $106.74 billion, it’s safe to say they didn’t even bat an eye.

But surely that’s just an isolated case… Let’s see who else got fined.

And 2nd to H&M

After Google France, the second largest GDPR fine ever was paid by the clothing brand H&M. Unfortunately, the situation here doesn’t look any better than with the first. If anything, it’s significantly worse.

In October 2020, the Hamburn Commissioner for Data Protection and Freedom of Information fined H&M $40.8 million for what many consider a heinous, Orwellian breach of personal rights. The higher-ups at H&M illegally collected sensitive data on its employees to create profiles that they then used in its hiring/promoting processes.

Whisper campaigns were even applied to gain the information they needed, including gossip, that they then added to the employees’ “secret files”. According to the BBC, H&M implemented the use of “employee surveillance that even included collecting “excessive” records on the families, religions, and illnesses of its workforce at its Nuremberg service centre”.

Source: ThoughtCo.

I don’t need to explain why this breach of employee trust and misuse of illegally obtained information is beyond gross. So, what about the fine? Did the $40.8 mil really put H&M in its place?

Well, considering the company’s current worth of $334.04 million (and that’s even after the pandemic closed many of its shops for months), I’d say they’re doing just fine.

Amazon Takes 3rd…Or Will it Be 1st?

Last but not least, we have #3 on our list of GDPR offenders. So far, we’ve discussed the top examples of the GDPR falling short in its campaign to protect us from nefarious corporate giants. But now, let’s play devil’s advocate, and include a current example that could very well prove the exact opposite.

Possibly the most interesting, and certainly the largest, GDPR fine hasn’t even been paid yet. Here, this honour goes to none other than Amazon. I know, you’re just as surprised as I am to find out that the company that forces its employees to pee in bottles to make shipping quotas doesn’t have the best of intentions at heart when protecting your data.

As this situation is still unfolding, we know painfully little of what Amazon actually did wrong. But what we do know is that Luxembourg’s National Commission for Data Protection has issued a fine of a whopping $866 million! In addition, we know the claim was filed on behalf of 10,000 people, and it asserts Amazon’s advertising system is not based on free consent.

And, you guessed it, Amazon has denied all claims.

Now, it goes without saying that the difference between the largest paid GDPR fine ($57.8 mil) and this one ($866 mil) is almost astronomical. One might even feel inclined to draw the lines from the first two fines mentioned in this article, as well as their less than mediocre results, to this new enormous claim.

The GDPR has long faced criticism for coming up short, but it seems they’re making a turn for the better. That is, of course, if the fine actually goes through. I think we can all picture Amazon squirming its way out of this one and walking away scot-free. Only time will tell.

Hope for the Future of the GDPR

But, God-willing, if the $886 million fine does stick, you can bet we’re going to see a lot of companies suddenly hyperaware of the GDPR, as they come out with newly updated corporate policies and issue statements starting with, “Nothing is more important to us than protecting our customers’ right to privacy…blah, blah, blah.” It’s too bad that most don’t seem to bother with the GDPR until it might affect their wallets.

I think we’d all prefer companies that have our best interests at heart, who protect the information we entrust them with simply because it’s the right thing to do. But whether they do so because they actually care, or just to protect their investments, a GDPR that can actually pack a punch is a welcome sight for all of us.

Hoping to Never End Up on This List? Discovery Any GDPR-related Data You Store Using PII Tools.