DLA Piper, the world’s largest international law firm, has published a report on the fines imposed on digital companies under the European GDPR. They were almost multiplied by seven in 2021 compared to 2020.
Protecting the personal data of Europeans
Coming into force four years ago, the General Data Protection Regulation (GDPR) was designed to give Europeans more rights over their personal data. Thus, companies must now demonstrate that they have a clear legal basis for collecting and processing user information, and they are required to notify the authorities of any data breach within seventy-two hours of the date on which they became aware of. In the event of non-compliance with this regulation, firms risk a hefty fine of up to 4% of their turnover.
Microsoft announces acquisition of Activision Blizzard for $68.7 billion
In 2021, the total amount of the various fines imposed on big tech reached 1.25 billion euros, or 180 million euros more than the previous year. In addition, data breach notifications by companies to the authorities increased by 8%, and were therefore 356 per day on average.
” GDPR has certainly been effective in getting everyone to sit up and listen to data protection law and data protection enforcement. Before the GDPR, if you were hit with a fine and you were one of the biggest players, it was a rounding error, it barely paid for the Christmas party. Now you have fines that are close to a billion euros “, explains Ross McKean, president of the data protection and security group of DLA Piper in the United Kingdom, to the media CNBC.
Amazon is the company that received the largest fine for violation of the GDPR in 2021. In the amount of 746 million euros, it was imposed by the Luxembourg National Commission. The second largest financial penalty, of 225 million euros, was given to WhatsApp for illegal sharing of personal data between messaging and its parent company, Meta (formerly Facebook).
Each of the two companies has appealed this decision, they have not yet paid their respective fines.
Amazon has been fined the heaviest GDPR violation in 2021. Photograph: Christian Wiediger / Unsplash
A legal mess
However, there are still some problematic points. For example, the Irish data protection agency, a country in which many technological giants have established their European headquarters thanks to an advantageous tax policy, has been accused of slowing down the correct application of the GDPR because of its slowness. Consequently, some countries are taking the bull by the horns and sanctioning big tech themselves; this is particularly the case of France, which has sanctioned Google and Facebook for violating the rules on cookies.
Above all, the legislation on the transfer of data between Europe and the United States remains a veritable imbroglio. The European Court of Justice has twice quashed the contracts (Privacy Shield and Safe Harbor) which governed data transfers between Europe and the United States, affirming that they did not offer sufficiently high protection for European citizens. If a new agreement is in preparation, the current situation is very complicated. Moreover, Meta does not respect the EU decision and continues to transfer its data across the Atlantic.
Since this transfer of data is almost unregulated, Austria recently claimed that the use of Google Analytics represented a violation of the GDPR. Let’s hope that the EU and the United States get along quickly, at the risk of seeing new grotesque situations emerge from this diplomatic problem.