The Top 5 Data Privacy Penalties Post-GDPR

It’s incredible to think that data privacy was almost a non-issue 10 years ago, for regulators and companies alike. Those days are long gone. The passage of the General Data Protection Regulation (GDPR) in 2016, and its inauguration two years later, has changed regulatory frameworks and postures all over the world. The California Consumer Privacy Act (CCPA) was one of the first frameworks outside the EU to imitate GDPR; India, China, Bahrain, and other countries would scramble over the next four years to come up with their own.

This means, of course, that big court cases over data privacy have made the news, sometimes with hundreds of millions of dollars in fines at stake. Michael Volkov, attorney and longtime corporate compliance expert, sees these big cases as nothing more than the icebreaker for the regulatory battles to come. “Risk penalties are only going up,” he says. “The longer people have notice of what’s required [by regulators], the more they’re going to pay down the road for the same kinds of violations. And there’s no constraint on enforcement agencies, other than their own creativity and scope to impose penalties on global companies.

“There’s going to be a billion-euro GDPR case soon,” he adds. “So far the penalties have been a drop in the bucket for most of these companies.”

They may indeed be a drop in the bucket, but as fines are climbing and regulators getting more ambitious, InformationWeek has compiled five of the most interesting data privacy cases of the past two years: the big payouts, the self-sacrifices, and the newest frameworks.

Case 1: Amazon, 2021

You probably knew this one was coming. Amazon’s €746 million ($877 million) fine made headlines in July 2021, when Luxembourg’s Commission Nationale pour la Protection des Données (National Commission for the Protection of Data) hit the retailer with the biggest GDPR fine in history. Tech Crunch explains that the case had started in France, with a complaint by an advocacy group for privacy rights, La Quadrature du Net, who laid out their case here (PDF in French). The group made several allegations: that Amazon was using customer data without explicitly telling them; without giving them a viable way to opt out without penalty (a right also reaffirmed by the European Parliament separately from GDPR); without recourse for users who wished to withdraw their consent; without an explicit contract, laying out what Amazon would or could do with personal data; for illegal “commercial prospecting,” or manipulation through targeted advertising. All these allegations imply a violation of GDPR.

Like many big foreign firms, Amazon’s European base is in Luxembourg, so it was a Luxembourgish court that took up and vindicated La Quadrature du Net’s complaint. (GDPR, of course, holds in both countries.) There’s an irony in this, given Luxembourg’s reputation as a tax haven. It’s compounded by the fact, underscored by Wired, that Luxembourg has strict professional secrecy laws, so we don’t know the exact details of the case. But the message was clear enough: Tread carefully with user data.

Case 2: Zoom, 2021

If you don’t remember what “zoombombing” was, Vice News lays out a few horrible examples. One German think tank discussion, conducted over the Zoom video-conferencing platform like most COVID-era meetings, was hacked, and a video of nightmarish sexual abuse shown to the participants. A German e-memorial for the Holocaust was disrupted by images of Hitler. One hacker who spoke to Vice, who claimed to be a 15-year-old from New York, apparently attacked 20 Zoom calls a day around the world with barbaric or, at best, grossly adolescent images.

Naturally, Zoom didn’t encourage or condone any of this; but was the platform responsible? In the summer of 2021, just on the heels of the Amazon case in Luxembourg, the US District Court in San Jose, California ruled that Zoom was indeed at fault for negligence. As Reuters reported, the court narrowed the scope of the class action suit by affirming that Zoom could not be held responsible for the content of Zoom bombs, citing (the now controversial) Section 230 of the Communications Decency Act. The court initially seemed skeptical, too, that Zoom had illegally shared users’ personal data with other platforms, like Android or Facebook. But the court refused to throw out allegations that Zoom had violated both its contract and good faith with its users, who had entrusted the platform with their data. Zoom would eventually settle, paying out $85 million to subscribers.

Case 3: Netherlands Tax and Custom Administration, 2022

Here was an unusual case. The Tax and Custom Administration of the Kingdom of Netherlands had long kept a blacklist of people convicted, or suspected, of tax fraud. People on the list lost their eligibility for tax repayment plans, whether they had been convicted or not. Worse, the list was rife with racial and ethnic abuses. A Polish last name, or contributions to a mosque, counted as “risk factors for fraud.”

The blacklist was a lawsuit waiting for its moment, but it wasn’t a citizens’ rights organization that brought it. Rather, it was the Dutch government, specifically the Data Protection Authority. The blacklist contained volumes of personal data per entry, from physical and email addresses to tax codes, income statements, criminal records, and other highly sensitive data. The Data Protection Authority charged that the Tax Administration had no right to possess that data, per GDPR; and that moreover the data included inaccuracies, had never been justified to the government, and had held onto data for longer than the law allowed. The list was terminated, and the Tax and Customs Administration had to pay its own government a fine of €3.7 million. There’s a grim shade of Junius Brutus in all this, a government bringing the hammer down on itself for data privacy violations. A lot of data protection officers in the Netherlands stirred uneasily and called in their staff for a just-in-case review.

Case 4: Didi, 2022

China was one of the last major economic powers to draft a data protection framework. Columbia University’s Journal of Transnational Law explains that the Personal Information Protection Law (PIPL), passed in November 2021, used GDPR as a model. It is extraterritorial, applying to all individuals and organizations that handle Chinese data, and it seems to borrow a number of key concepts from its European counterpart. It is stricter than GDPR, however, in its stance toward collecting personal data. In fact, it offers no justifiable grounds for it at all. GDPR lets companies argue for “legitimate interests." PIPL has no such provision.

PIPL is so new that we have yet to see how international companies will deal with it. Yahoo! and LinkedIn both cut operations in China altogether, apparently out of fear of the new framework. But we have seen Chinese regulators throw PIPL at Chinese companies. Didi Global is a Beijing-based car service worth almost $22 billion. It offers ride shares, home deliveries, and other services, like Uber but broader. As Data Guidance reports, China’s Cyberspace Administration hit Didi with PIPL penalties this year for a number of rather disturbing allegations: collecting screenshots from users’ mobile photo albums, “excessive” use of facial recognition technology, collection of geolocation data from users’ mobile phones. In all, Didi had to pay about $1.1 billion in fines, making this, apparently, the biggest data privacy fine in history.

Case 5: WhatsApp, 2021

This list wouldn’t be complete without the WhatsApp scandal of 2021. Like the Amazon case, it involves a European country previously well-known for making things as cozy as possible for foreign firms: Ireland.

The Irish Data Protection Commission, backed up by regulators from eight EU states under the aegis of the European Data Protection Board, brought WhatsApp to court over transparency, under Articles 12, 13, 14, and 58 of GDPR (via Euronews). Part of this was WhatsApp’s reticence to tell users that the data they gave WhatsApp was accessible across the brands owned by Facebook (now Meta), like Instagram. There was the matter of third parties, too: WhatsApp offered users no way to know how much personal data the company had acquired from outside parties. But the main charge was one of clarity. WhatsApp, the plaintiffs alleged, should have explained what it was doing with user data "in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” The regulators noted that children frequently use WhatsApp; the language needed to be simple enough for them to understand, too.

The penalties added up to €225 million, making this the second biggest GDPR penalty in history, just after Amazon. Still, a privacy campaigner told the BBC that this penalty wouldn’t amount to much. Irish courts are ponderous, complicated things, meaning the penalty won’t be enforced for years. Moreover, he said, Ireland’s Data Protection Commission had heard about 10,000 complaints since 2018; this was the first real penalty it had produced. Perhaps, but the Commission has proven itself capable of taking on a Big Tech superpower, with pan-European support. This was its first big penalty; it won’t be its last.

What to Read Next:

Data Strategy: Synthetic Data and Other Tech for AI's Next Phase

Can Data Collection Persist Amid Post-Roe Privacy Questions?

10 Actionable Tips for Managing/Governing Data