In January it was announced that Google was to be fined €50 million for violations of GDPR – the EU’s set of data protection regulations, which went into effect May 2018. The reasons cited for the fine were:
- Users were “not sufficiently informed” about how Google used collected data to personalize advertising; there was a “lack of transparency, inadequate information and lack of valid consent regarding ads personalization”
- Instead of centralizing data-use information on one page, Google spread information about how personal data would be used for ad personalization (such as data processing practices, data storage periods, or which types of data would be used for personalization) over several documents. According to CNIL, “The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent”, since full understanding would require users go through “up to 5 or 6 actions”.
- Lack of clarity regarding policies, “some information [was] not always clear nor comprehensive”
- Users were required to give their consent in full to all data collection and use carried out by Google, rather than giving consent for each type of data use, as is required by GDPR
- When creating an account, the check-box to allow Google to use data to personalize ads was pre-checked, which also violates GDPR rules
Of course, Google isn’t the only company to have been fined for poor data security practices in the past year. ICO, the regulator responsible, handed out the following fines in 2018.
Facebook fined £500,000 for Cambridge Analytica scandal
In the wake of the Cambridge Analytica scandal, which saw the personal information of an estimated 87 million Facebook users improperly shared with a political consultancy group that worked with Steve Bannon to target specific US voters with personalized political ads.
The cost of the fine is a drop in the bucket for Facebook, which earned $13.7 billion in revenue in Q3 2018 alone. However, had the breaches of data, which led to the Cambridge Analytica scandal, occurred after GDPR were in effect, Facebook would have faced far more substantial fines of up to £1.2 billion.
Equifax fined £500,000 for data security breach
Equifax is a US-based consumer credit reporting agency. However, Equifax UK was fined for breaches that occurred at its US parent company, after a massive cyber attack on Equifax in the US that exposed the personal information of 15 million UK Equifax customers from May to July of 2017. Information exposed included contact information, encrypted credit card information, and email addresses. ICO ruled that Equifax UK had failed to take adequate steps to ensure its parent company was protecting customer information.
Had the breach occurred after GDPR took effect, Equifax would have faced a much heftier £120 million fine.
Uber fined £385,000 for breach of customer and employee data
A 2016 breach saw the exposure of personal information belonging to 2.7 million customers and drivers, resulting in a £385,000 fine. The information exposed included contact information, as well as detailed driving histories of Uber drivers. The data breach was further compounded by Uber’s attempt at a cover-up; initially Uber paid the hackers, who stole the information, $100,000 to destroy the information. It was this failure to disclose that led to $124 million in fines by US regulators.
Had the breach occurred under GDPR, Uber could have faced fines of up to £17.7 million.
Yahoo Services UK fined £250,000 for data stolen from US servers
The fine issued this year by ICO was for a breach that occurred in 2014, but notably was not disclosed until 2016. For comparison, GDPR states that disclosures regarding data breaches must occur within 72 hours. The data theft is widely thought to have been perpetrated by Russian intelligence, targeting servers in the US, which highlights the issue of data off-shoring, a common practice for many companies.
This is in addition to the $50 million in fines levied by US regulators, in addition to $35 million in legal costs and three years of free credit-monitoring services to the 200 individuals worldwide affected by the data breach.
Marriott fines TBA, could be more than $800 million
US hotel chain Marriott suffered a data breach that exposed the personal information of 500 million guests. The breach was detected in September 2018 but could affect guest records as far back as 2014. The information exposed is particularly damaging, as it included in many cases names, postal addresses, phone numbers, date of birth, gender, email addresses and passport numbers.
A multimillion-dollar suit has already been filed with US regulators, but as the data breach affects citizens of the EU, GDPR also applies, which is where things get interesting. According to GDPR rules, fines for data breaches can be up to €20 million, or 4% of annual turnover, whichever amount is higher. As Marriott’s turnover in 2017 was $22.9 billion USD, this could amount to hundreds of millions in fines.
The amount of the final fine has yet to be announced, but it will be interesting to see how it compares with the €50 million hit taken by Google.
In Conclusion: Companies need to take charge of their data security
The €50 million fine for Google is the highest yet to be levied under the new GDPR legislation. The size of the fine was shockingly larger than the fines previously levied for some of 2018’s most notable data scandals, signalling a new era of costly fines for companies that continue to ignore the importance of data security.
However, despite the high costs of failing to protect customer data under new regulations, like GDPR, most companies are still not adhering to the GDPR standards. According to a report by IT Governance, only 29% of organizations were fully compliant with GDPR, even after the deadline.
While regulatory regimes of the past resulted in slaps on the wrist for companies that failed to protect customer data, the current regime of fines should make clear the urgency of getting a comprehensive data security strategy in place.