As another year comes to an end, and with Christmas just around the corner, we’ve created our own ‘naughty list’ with regards to companies that have mishandled their customers’ personal data and been fined heavily as a result during 2021.
The General Data Protection Regulation came into effect on May 25th 2018, replacing the Data Protection Directive, which was considered to be outdated in protecting the rights of consumers’ online data given that it was created in 1995 before the internet really became a data hoover. It is generally considered to be the toughest privacy and security law in the world.
The purpose of the legislation is to protect ‘the right to privacy’, which is part of the European Convention on Human Rights. As such, companies that fail to protect this right receive harsh fines, with penalties reaching into the tens of millions of euros. So far, over 880 fines have been issued totaling over €1.29 billion.
Though the legislation was passed by the European Union (EU) it has implications for any organisation in the world, as long as they collect data related to people living in the EU. That’s why you may see US companies, for example, on this list.
So, who have been issued the biggest fines in 2021?
In July 2021, the Luxembourg National Commission for Data Protection issued the largest fine ever for the violation of GDPR amounting to €746 million ($865 million) to Amazon. First brought to attention by a complaint filed by 10,000 people from the group La Quadrature du Net in May 2018, the Commission began investigating how Amazon processed the personal data of its customers. It found that Amazon was responsible for infringing the GDPR due to the way its advertising targeting system collected customer data without proper consent. It also ordered the company to change its business practices to prevent future infringements.
Amazon has since stated that it disagrees strongly with the Luxembourg authority’s finings and launched an appeal against the fine in October 2021.
As is the case with Amazon, WhatsApp says it disagrees with the decision and the severity of the fine and submitted an appeal in the latter half of September 2021.
At the very start of 2021, in January, German electronics retailer Notebooksbilliger.de received the third largest GDPR fine of the year, €10.4 million ($12.5 million) from the data protection commissioner for the German state of Lower Saxony (LfD). However, unlike with the other two companies mentioned above, this fine was the result of not protecting its employees personal data – rather than customers.
The breach of GDPR came from the fact that employees were constantly videotaped without any legal basis for over two years in its salesrooms, workhouses, and other common areas of the company. This surveillance was put in place, Notebooksbilliger.de argued, to prevent theft of high value goods and to track the flow of goods from its warehouses.
Nonetheless, the LfD stated that because videos were kept much longer than necessary (around 60 days in the company’s database before being deleted) and that videotaping was used as a deterrent for crime -rather than due to justifiable suspicion that crime was being carried out by an employee – the privacy rights of employees was being violated.
On receiving the fine, CEO of the company, Oliver Hellmold, objected strongly to the decision, claiming that the LfD didn’t visit the premises of Notebooksbilliger.de during the three year investigation and that the company had already previously made adjustments to its video surveillance system to become GDPR compliant. As such, Notebooksbilliger.de submitted an appeal to the Bonn Regional Court to review if the fine is lawful and proportionate.
Did anyone on this list surprise you? How do you feel about companies who mishandle customer data? Let us know in the comments section below.
We’ve also written another post detailing how to know if your personal data has been compromised in a leak here.
And, if you have any questions or other technology queries, please tweet us at @techtroublesho1.