Since the new General Data Protection Regulation (GDPR) came into effect on 25 May 2018, the focus on data is bigger than ever, and the price for companies who fail to protect their data has never been more costly.
We take a look at the biggest fines issued both before and after GDPR.
2018 was a busy year for the ICO...
The Information Commissioner’s Office (ICO) issued the most - and largest - fines ever in 2018, including:
- 11 fines totalling £1,290,000 to organisations for serious security failures
- 11 fines totalling £138,000 to UK charities for unlawfully processing personal data in the 12 months to March 2018
The maximum penalty in 2018 was £500,000, issued to both Facebook and Equifax, a consumer credit reporting agency.
Facebook was slapped with the £500,000 fine for its role in the well-documented Cambridge Analytica scandal. The information of 87 million Facebook users was improperly shared with the political consultancy through a quiz that collected data from participants and their friends.
Facebook was found guilty of allowing application developers access to user information without sufficient consent, failing to make suitable checks to secure personal information, and not taking action once the misuse of data was discovered.
Equifax was fined £500,000 after failing to protect the personal information of up to 15 million UK customers during a cyber attack. Hackers stole personal data including names, dates of birth, addresses, passwords, driving licences and financial details. The company had retained data for longer than necessary, making it vulnerable to unauthorised access.
The systems compromised were actually based in the US, but because the UK branch failed to ensure its American parent was protecting UK customers, the ICO was forced to issue the fine.
But all this was before GDPR came into effect...
The fines issued to both Facebook and Equifax were imposed under the Data Protection Act (DPA), where £500,000 was the maximum penalty. Had their failings been discovered and investigated now, they would have faced significantly higher fines.
Under GDPR, companies can now expect fines of up to:
- €10,000,000 (£8.8 million) or 2% of total global annual turnover (whichever is higher) for lesser data breach incidents.
- €20,000,000 (£17.6 million) or 4% of total global annual turnover (whichever is higher) for significant data breaches.
The biggest fines under GDPR
The fine was issued by the Commission nationale de l'informatique et des libertés (CNIL), France's data protection supervisory authority, for lack of transparency, inadequate information, and lack of valid consent regarding ads personalisation. We covered the story in detail in our January edition of Compliance News, where we examined the exact rules that Google broke.
A hospital in Portugal has also received a fairly hefty fine of €400,000 for GDPR violations. The Centro Hospitalar Barreiro Montijo was found to have committed three major violations:
- A minimisation principle, by allowing indiscriminate access to an excessive number of users
- A violation of integrity and confidentiality as a result of non-application of technical and organisational measures to prevent unlawful access to personal data
- Failing to ensure the continued confidentiality, integrity, availability, and resilience of treatment systems and services as well as the non-implementation of the technical and organisational measures to ensure a level of security adequate to the risk.
Elsewhere in Europe, a German company was fined €20,000 after the personal data of 330,000 users of its chat platform was compromised and then made publicly available by hackers in September 2018. In Austria, one company received a fairly moderate €4,800 fine for installing a CCTV camera in front of their building but which also recorded images from a large part of the pavement. Large-scale monitoring of public spaces is not permitted under GDPR.
And in the UK, the ICO has issued a notice to a Canadian data analytics company, AggregateIQ Data Services Ltd, to stop using EU citizens’ personal data for analytics.
As it’s not yet been a year since the new regulation came into effect, we’ve yet to see many fines issued. However, reports show that data breach complaints have increased by 160% since GDPR came into force. This increase is worrying news for businesses, considering the scale of the fines they could be handed, and it shows just how critical it is that companies ensure their staff are trained in everything they need to know about GDPR.
Looking back at what could have been
Yahoo currently wears the crown for the biggest data breach of the 21st century. In September 2016, the internet giant revealed that its 2014 data breach had compromised the personal data of 500 million users. Later that year, another breach from 2013 came to light that had compromised 1 billion accounts. That’s one for every seven or eight people on the planet!
But the full extent of the multiple breaches was not acknowledged until October 2017, when Yahoo's new owner Verizon discovered it was not 1 billion accounts that had been compromised in 2013, but 3 billion accounts! That’s every single account under the Yahoo name, including Flickr and Tumblr.
The breaches knocked a huge chunk off Yahoo’s sale price - to the tune of $350 million. Having once been valued at $100 billion, Verizon paid just $4.48 billion for the core internet business. In October last year, Yahoo agreed to pay $50 million in damages - of which half will be paid by Verizon and the other by Altaba, Inc. (Yahoo changed its name to Altaba after the sale of its core business).
But, what would have happened if this breach had taken place post-GDPR?
Of course, the scope of the breach was significant. But, what would have been crucial today, was that Yahoo didn’t disclose the extent of the breach within 72 hours like the GDPR requires. And with revenue in excess of $4 billion for the year 2012/2013, Yahoo would have faced an $80 million fine, or potentially as much as $160 million!
The huge jump in maximum fines for data breaches in the UK, from £500,000 to £8.8 million or even £17.6 million, show the significant lengths regulators are taking to protect people’s personal data and privacy.