The General Data Protection Regulation, the legal framework adopted by the European Union in April 2016, underwent a two-year transition before Europe’s lawmakers implemented it in May 2018. Now in full force, everyone ubiquitously refers to the regulation by its acronym GDPR.
The GDPR set strict guidelines for how corporations and organizations can collect and process the personal data of people in the European Union (EU) and the European Economic Area (EEA). However, its regulations apply to websites all over the world that attract visitors, subscribers, or customers from Europe — even if these sites don’t specifically market their business to people in any country in the European Union.
The data protection and privacy legislation mandates that EU visitors to a website must get data rights disclosures if they share personal information with the business. The website owners must also notify subscribers or customers if hackers breach their servers. Failure to comply is subject to financial penalties.
Under Article 83, GDPR fines are flexible and scale to the size of a business or organization. The fines can be as high as 20 million euros, and multinational businesses risk fines up to 4% of their total global revenue for the previous fiscal year.
Here are five well-known multinational corporations that paid substantial fines for violations of consumer privacy protection laws that affected EU residents:
1. British Airways
An Information Commissioner Office fined British Airways along with parent company International Airlines Group $230 million for failure to use sufficient security precautions on its website. This lapse in cybersecurity measures allowed web-based card skimmer malware to collect the payment details of around 500,000 customers booking their tickets online. Investigators discovered “that a variety of information was compromised by poor security arrangements at [BA], including login, payment card, and travel booking details as well name and address information.”
Although Facebook is a U.S. company, its insufficient security measures affecting its millions of users also impacted European citizens. The Information Commissioner’s Office in the UK fined Facebook for the Cambridge Analytica scandal that occurred in July 2018. Since this data breach took place before legislators introduced GDPR regulations, lawmakers based the fines on the 1998 Data Protection Act. They fined Facebook £500,000 ($660,229), the maximum under that pre-GDPR framework. The social media giant would have faced stricter penalties if the GDPR had been in effect.
However, in September 2018, a vulnerability in account security exposed the private information of 50 million Facebook users and in April 2019, 540 million electronic records contained Facebook user data on a server that was not password protected. Because of a total lack of security, anybody could have accessed this personal information.
Since these fresh violations of privacy laws now fall under the purview of GDPR regulations, Facebook could pay fines as high as $2.2 billion. Regulatory authorities base these calculations on Facebook’s revenue of $55 billion and GDPR’s formula of penalizing an international business up to 4% of its annual global revenue.
The Information Commissioner’s Office in the UK has also fined Marriott $123 million for a data breach. In November 2018, Marriott admitted that since 2014, hackers had accessed the Starwood guest reservation database. According to the article, “Marriott faces $123 million GDPR fine in the UK for last year’s data breach", by Catalin Cimpanu on ZDNet.com, hackers obtained access to “383 million guest records, 18.5 million encrypted passport numbers, 5.25 million unencrypted passport numbers, 9.1 million encrypted payment card numbers [and] 385,000 card numbers that were still valid at the time of the breach.”
UK’s vigilant data protection agency fined Equifax $660,000 for a 2017 data breach that impacted EU residents. Again, like Facebook’s Cambridge Analytica scandal, the fine was not as heavy as it could have been because they based the fines on the 1998 Data Protection Act standards.
British and Dutch regulatory authorities fined Uber a combined total of $1.17 million dollars for a 2016 data breach that Uber then tried to cover up. The egregious data breach disclosed the personal data of millions of Uber customers.
These five examples of hefty fines are good reasons for companies to raise awareness about GDPR requirements, audit all customer information, update privacy notices, and review all security measures needed to hold up to Information Commissioner Office scrutiny. Besides improving compliance and security issues, it’s also advisable for companies affected by GDPR regulations to get enough cybersecurity insurance coverage should they face a worst-case scenario — a data breach.