Meanwhile, the AEPD has notably fined Vodafone’s Spanish subsidiary a total of 58 times since 2018. The AEPD determined that this violated the principle of “ data minimisation”, where the collection of personal data has to be “directly relevant and necessary to accomplish a specified purpose”. On the same day, the AEPD fined another private individual €500 for installing surveillance cameras on their property that managed to record other neighbouring properties.
Since 2018, the AEPD has pursued targets ranging from telecommunications giants to individual citizens for varying levels of data privacy violations. Earlier this month, it fined a private individual €2,000 for sharing a video on WhatsApp that showed a violent attack against the complainant, without getting their prior consent, according to Privacy Affairs. The high number of penalties in Spain can be explained by an established culture of enforcing data privacy rights even prior to GDPR and a “fully independent” regulator, according to Estelle Masse, global data protection lead at Access Now, a leading digital rights charity. However, Italy has issued the largest total value of fines, having issued penalties totalling €137,339,596, according to Enforcement Tracker’s data. Spain's data protection authority, the AEPD, has meted out a total of 414 GDPR fines since 2018, the highest number of any European regulator. Which countries have issued the most GDPR fines? This relates to Article 6 of the GDPR, which includes the requirement for an individual's explicit consent before an organisation can process their personal data. The GDPR violation for which the highest number of GDPR fines have been issued to date is processing data with insufficient legal basis for doing so, according to data collected by law firm CMS. The regulator had initially threatened to fine BA £187m, but the airline successfully challenged the method it had used to calculate this figure. The ICO ruled that the airline had failed to take the necessary precautions to protect its customer data. In 2020, the UK's Information Commissioner's Office fined British Airways £20m after the personal data of 40,000 customers was breached in a cyberattack.
At the time, the French authorities said that “refusing cookies should be as simple as accepting them”, and fined Google a further €150m. Two years on, Google again found itself in the crosshairs of the French data protection authorities, this time for not providing an “equivalent solution” to allow users to refuse cookies compared to accepting them. The fine was upheld despite the company’s attempts to appeal the ruling. The French authorities also ruled that Google failed to seek the consent of its users to use their data for targeted advertising campaigns.
Other sizeable GDPR fines include a €50m penalty issued to Google by France's data protection regulator for failing to make its consumer data processing statements sufficiently accessible to billions of users. The e-commerce giant is in the process of appealing the ruling and recently managed to stop daily payments of €660,000 after a Luxembourg judge ruled that the data protection authority’s orders were not “sufficiently clear, precise and without uncertainty”, according to Bloomberg. The fine was a result of a collective complaint filed by 10,000 people who argued that Amazon’s targeted advertising system used their personal data without their consent.
0 kommentar(er)
