A new report released by Finbold shows there was a massive increase in GDPR fines in Q3, 2021. Data protection authorities across EU member states imposed penalties of €984.47 million ($1.14 billion) in Q3 to resolve violations of the General Data Protection Regulation, which is three times the total fine amount of 2020 and nearly 20 times the fine total in Q1 and Q2, 2021 combined.
A substantial proportion of the €984.47 million total is due to a massive financial penalty imposed on Amazon EuropeCore S.à.r.l by the data protection authority in Luxembourg. Amazon was fined €746 million ($867 million) in July 2021 for alleged violations of the GDPR with respect to non-compliant data processing. Another substantial financial penalty was imposed on WhatsApp by the data protection authority in Ireland over insufficient fulfilment of information obligations. WhatsApp is alleged not to have told users of its platform about how their personal data would be shared with its parent company, Facebook. WhatsApp was fined €225 million ($262 million) over the GDPR violations.
Those two financial penalties make up the vast majority of the total fines for the quarter and were the result of lengthy investigations into the two tech firms. Whether those financial penalties will be paid is another matter, as both companies have appealed the penalties and claim they are without merit. It is possible that the financial penalties will stand, the fines could be reduced, or potentially the two companies may escape a financial penalty altogether.
Massive financial penalties such as these are possible as while the maximum financial penalty for GDPR violations is set at €20 million ($23.26 million), fines can be imposed up to 4% of global annual turnover for the previous financial year, with the GDPR taking the maximum as the higher of those two amounts. Prior to these fines being announced, the largest financial penalty was imposed on Google LLC, which was fined €50 million ($58 million) by the French data protection authority in January 2019.
In terms of total fines, unsurprisingly Luxembourg tops the list with fines totaling €746,071,000 ($867,524,400) across 11 cases, followed by Ireland with € 225,876,400 ($262,646,900) in penalties across 9 GDPR violation cases. Italy is in third place with €86,138,770 ($100,161,300) in financial penalties, with the country highly active having imposed fines on 92 companies. Spain tops the list for the highest number of fines, having imposed 296 penalties totaling €32,942,610 ($383,053,360).
Finbold says there is considerable variation among EU member states in terms of their interpretation of the GDPR, with some member states having far stricter interpretations of the law. Some data protection authorities have been lenient on companies that have violated the GDPR when they have been experiencing financial hardship due to the COVID-19 pandemic and have reduced the financial penalties considerably. The UK’s Information Commissioner’s Office (ICO) imposed a financial penalty of £183.4 million ($249.97 million) on British Airways for GDPR violations related to a data breach but reduced the fine to £20 million ($27.26 million) due to the losses sustained by the airline as a result of COVID-19.