Penalties and Fines for Violating the GDPR

Under the General Data Protection Regulation (GDPR), for the first time in history, fines for privacy infringement in the EU could reach into the tens of millions of euros. Needless to say, noncompliance isn't worth it.

This article will break down the articles of the GDPR that deal with penalties of noncompliance. It will also provide some useful examples of GDPR violations that are easy to overlook but luckily also easy to resolve and remedy.

Examples of Privacy Penalties Before the GDPR

Privacy fines are not a new concept. In recent years, more and more businesses have been taken to court for compromising consumer privacy.

• In 2006, AOL released a file that included the search history of over 650,000 users, supposedly for research purposes. Some of the data included the personal information of users, which was soon made available to the entire internet. AOL was ordered to pay a penalty of $5000 for every compromised user.
• In 2007, Google was fined $147,000 for unwittingly releasing images of the faces, activities, and license plates of passerby when they launched their Google Street View software.
• Disney was fined $3 million in May of 2011 when they processed the personal data of children under the age of 13 and shared it with third-party advertisers without parental consent.
• Most recently, in 2017 Facebook was fined €1.2 million in Spain for collecting sensitive user data, such as religious beliefs and sexuality information, without requesting adequate consent from consumers beforehand.

It is evident that privacy penalization has been coming into the limelight for years as tracking and advertising technologies become more intrusive and advanced.

The GDPR will be the first regulation that sets the standards for administrative fines on internet privacy quite so high. It remains to be seen how often and how meticulously the European Union will enforce these new statutes.

The General Data Protection Regulation In Short

The GDPR is a massive legal document, but here's an ultra-condensed summary of some of its most notable measures:

• No business in the EU or elsewhere may collect the personal information of an EU resident without first obtaining express, unambiguous, freely-given consent. This includes ambiguous data collected by browser cookies.
• EU users must be given easy access to their personal information in order to review, edit, or delete it. A full digital copy of a user's personal data must be provided upon request.
• The protection and security of personal data should be designed into the entire infrastructure of a website or mobile app. Privacy by Design is no longer a recommendation. It's a requirement.
• Privacy Policies should be written using clear, plain language and made accessible to users. In the same spirit of transparency, changes to privacy processing protocols and data breaches must be communicated to the users they affect in a timely manner.

Certain companies that process massive amounts of personal data, like social media networks and data processing firms, will need to follow many additional stipulations.

Who Will Be Affected?

Although the regulation will only apply to the personal data of EU residents, the GDPR will be enforced upon any business in the entire world that collects that information.

Since the internet is international by its very nature, there is no way to avoid compliance, at least as far as EU user data is concerned. Unless you can guarantee that no EU resident will ever come across your website/app, it would be in your best interest to comply. The EU is a major world power and most developed countries are prepared to cooperate with them to enforce the GDPR.

Penalties of Noncompliance

In order to manage the investigation and enforcement of the GDPR, a Data Protection Authority will be designated in each EU member state as the supervisory authority.

These supervisory authorities will be appointed by government officials in each member state and manage the day-to-day enforcement of the GDPR. You might think of them as the GDPR police.

EU consumers will have the option to submit privacy complaints directly to supervisory authorities. These will be the authorities you must report to in the case of a data breach of EU user information. They will exert full powers of the investigation and correction of GDPR infringement. In other words, they can dole out fines.

Under Article 58 Section 2 of the GDPR, supervisory authorities may take any of the following corrective actions in the case of EU consumer privacy infringement:

Fines

While most of the administrative corrections listed above are feasible and relatively simple for the affected businesses to comply with, it's the administrative fines that have online businesses the world over scrambling to meet GDPR requirements.

For the first time ever, fines for privacy violations could reach amounts of €20 million or more.

Article 83 deals with the general conditions for imposing administrative fines. Section 4 lists out what types of infringements come with a fine of up to €10 million or 2% of the company's global annual turnover, whichever is higher.

This tier of fines can apply if the following infringements occur:

• Collecting the personal information of a child 16 years old or younger without parental consent.
• Failure to follow basic Privacy by Design protocols to promote privacy and security.
• Failure to inform users of the joint processing of user data by two or more parties.
• Failure to affirm the privacy compliance of a third party used to process user data, or to inform users of third-party processing.
• Failure to keep records of personal information processing activities.
• Failure to communicate a data breach to a supervisory authority within 72 hours of discovery.
• Failure to communicate a data breach to the end users it affects in a timely manner.
• Failure to perform a data protection impact assessment (DPIA) prior to launching an initiative that puts the personal data of EU users at risk.
• Failure to appoint a Data Protection Officer (DPO), if the nature of the online business requires it.

Section 5 of Article 83 outlines what infringements come with higher fines of up to €20 million or 4% of the company's global annual turnover, whichever is higher.

This tier of fines can apply if the following infringements occur:

• Processing data in an unlawful, dishonest, or unsecure fashion.
• Processing personal data without the unambiguous and freely-given consent of the user, with the exception of cases in which processing is required by law.
• Processing of "sensitive personal data" without due necessity and the express consent of the user.
• Failure to inform users they can opt out of data collection and provide an opt-out method.
• Failure to provide an accessible, clear, and easy-to-understand Privacy Policy.
• Failure to provide users with a copy of the personal information you hold about them upon request.
• Failure to provide users with access to their personal data for the purposes of editing, updating, or erasing it completely.
• Failure to erase personal data or cease marketing efforts targeted at an end user upon request.
• Transferring personal data over international borders without following the appropriate processes and protocols.
• Non-compliance with any order issued by a GDPR supervisory authority.

Section 2 of Article 83 provides a list of criteria for the supervisory authorities to consider when determining the amount of the fine to be imposed:

As you can see, a variety of factors will affect each individual case including aggravating and mitigating factors, how negligent or intentional the violation was, past violations, etc.

It is important to note that fines and penalties are supposed be fair and appropriate to each individual infraction. If your violation of the GDPR is an honest mistake and you make fair efforts to mitigate it, your fines will not be towards the top of the spectrum.

Examples of GDPR Violations

Although it is not possible to show visual examples of every kind of infraction, below you can see a few very obvious violations.

Noncompliant Consent Practices

Valid consent is one of the cornerstones of GDPR compliance. Violations are not difficult to spot.

The McDonalds registration form does not give users an opportunity to provide their express and unambiguous consent for marketing communications; in this form, consent is assumed when a user registers for an account.:

Although Apple's registration form includes marketing consent checkboxes, this method of consent is not considered freely-given because the boxes are pre-ticked by default:

TechTarget's Cookies Policy includes the following terminology: "By continuing to use the site, you agree to the use of cookies."

This is implied consent and will not be considered legal under the GDPR. Consent for most types of cookies must be obtained via a clear action on the part of the user, such as the click of a button or tick of a checkbox.

The same goes for Privacy Policies. The kind of browsewrap agreement demonstrated in the PokerStars Privacy Policy below is also implied consent and in violation of the GDPR:

In order for a user to validly consent to the Privacy Policy they must click an agreement button or tick a checkbox.

Readability and Accessibility

Another fine-worthy infringement involves clear, easy-to-understand Privacy Policies. The long-winded, confusing legalese that was so popular in Privacy Policies of the past will no longer be accepted.

Ironically, it may be government agencies that will have the hardest time with this requirement:

This is the intro to the Privacy Policy for USA Citizen and Immigration Services. The language is unnecessarily complex and dense.

Although it is still unclear how serious these types of infractions will be, it is advisable to ensure your Privacy Policy is written clearly in simple language.

Accessibility to the Privacy Policy as well as to a user's choices regarding their personal information is a key point in the GDPR.

For example, the Privacy Policy should be prominent and easy-to-find within the business's website or mobile app.

In addition, a user should have easy access to their own personal information and consent choices. According to the GDPR, "It shall be as easy to withdraw consent as to give it."

Here is an example of noncompliance with these accessibility requirements and others.

When you go to the Glamour homepage, these is no immediately-visible link to the Privacy Policy in the standard footer links list. There are, however, three visible links for a user to sign up for marketing emails:

When you do finally locate the Privacy Policy, you see it is linked for users, but it's linked as part of a statement that says, "Use of this site constitutes acceptance of our [...] Privacy Policy."

As with the other examples of bad consent, you can see why this absolutely violates the consent requirement of the GDPR.

Further, usually the Privacy Policy would provide instructions on how to unsubscribe from marketing communications, especially since Glamour makes it so easy for you to enter your email address and subscribe.

However, after finally locating the Privacy Policy as part of the implied consent statement, a user would see that the Policy does not provide instructions on how to access personal data or change marketing communication preferences:

The above examples demonstrate a range of infringements that may garner a range of different penalties, from warnings to fines. When a combination of infringements are found or if a business commits repeat offenses, the larger fines could start rolling in.

Make sure your Privacy Policy is up to date and includes GDPR-required information, is written in an easy-to-understand way, and that you get the appropriate level of consent whenever you collect personal information. Do these things and incorporate sound privacy practices into your business and you should avoid being penalized.