The dreaded GDPR, the supposed bane of digital marketing and commerce, has resulted in a less-than-whopping €144,886,145 in fines to date, according to a study by Privacy Affairs. And the offenses make you wonder whether EU taxpayers are getting their money’s worth.
Some fines did add up — like the €50 million imposed on Google in France for lack of transparency and consent. And the above total does not include the €204,600,000 assessed against British Airways and €110,390,200 against Marriott International by Britain’s ICO — these are not yet final.
But most actions are far from that level. And individuals have been targeted as well as corporations — for a grand total of €46,921.
For instance, a car owner in Austria was fined €300 for unlawful use of a dashcam. And a German faced a €2,500 payout for sending emails that allowed recipients to see others’ email addresses.
Moreover, various restaurants were hit with fines for having surveillance systems. One in Spain had video surveillance that also took mages of the sidewalk in front, for which it was told to pay €3,600.
Then there were penalties that hardly seem to justify the bother — for example, a Hungarian hospital was ordered to pay €90 for charging a copying fee when fulfilling a patient’s data request.
Do we really need a massive international data structure to deal with these situations?
There also were several cases that seemed to raise jurisdictional questions.
For instance, a soccer coach in Austria was fined €11,000 for secretly filming female players in the shower. And a creep in Spain was penalized €800 for creating a fake profile of a female colleague on an erotic website.
These are serious violations of law and decency. But surely, the criminal courts are a better venue for dealing with them.
And we wonder why GDPR is being applied against telecom companies that have telemarketed people without their consent. Don’t these countries have laws like our own TCMA?
Finally, there were a raft of email-related fines.
In Germany, Delivery Herowas ordered to pay €195,407 for retaining data on customers who had opted out of emails.
Similarly, Spain’s Iberia Lineas Aereas took a €20,000 hit for sending emails to people who had asked to be removed from the firm’s database or put on a no-contact list.
In Romania, a company used “an unfilled checkbox through which users could request that they do not receive any emails from the company” — people who couldn’t fill in the box continued receiving emails. For this, a €30.000 fine was meted out.
Some of these cases occurred on a low level. Spain’s Shop Macoyn, S.L. was punished to the tune of €5,000 for sending advertising emails that allowed every person to see the email addresses of all other recipients.
I will say one thing for the GDPR: it’s also being applied against seemingly untouchable entities. Bulgaria’s National Revenue Agency was fined €28,100 because it unlawfully collected information on a citizen in order to collect a tax debt.
And a €18,000,000 hit was levied against the Austrian Post for selling personal profiles of roughly 3-million people to companies and political parties
Granted, the bulk of the cases seem to concern processing data without consent or failure to erase it upon request or after it should not have been held, and for failure to protect against breaches.
For the record, there have been 213 fines in the 21 months since GDPR's implementation.
There are two lessons.