This amount is almost seven times the fines imposed in 2020. EU data protection authorities have imposed fines of $ 1.25 billion for breaches of the EU’s General Data Protection Regulation since January 28, 2021, law firm DLA Piper said in a publication Tuesday report.
The provisions of the GDPR have been in force in the European Union since 2018. According to them, all companies operating in the EU are required to demonstrate a clear legal basis for collecting and processing personal data of their clients. Additionally, companies must also notify authorities of any data privacy breach within 72 hours of recording such an incident.
Failure to comply with these rules may result in the imposition of a large fine on the entity – up to 4%. company annual global revenues or EUR 20 million, whichever is greater.
Big Tech companies have accepted the most penalties for violating the GDPR
The Luxembourg privacy regulator fined Amazon € 746 million ($ 850 million), while authorities in Ireland fined WhatsApp Inc. (Meta Platforms) fined EUR 225 million. Both companies are in the process of appealing the appropriate fines.
Companies often indicate that the GDPR regulations have a few imprecise issues. Including cross-border data transfers between the EU and the US. In 2020, the European Court of Justice issued a seismic ruling invalidating the application of the Privacy Shield framework, the legal framework for transmitting data across the Atlantic. The ruling was named “Schrems II” after the Austrian privacy activist Max Schrems who originally opened the case.
Although the Privacy Shield has been revoked, the European Court of Justice has upheld standard contractual clauses, another mechanism to ensure EU-US lawful data flows. However, many companies argue that the ramifications of the ruling remain unclear as the main claim of the ruling is that the US data protection regime is not equivalent to the EU regime.
Standard Contractual Clauses (SCC) are by far the most popular method of lawful processing of such transfers. At least in theory. In practice, the Irish Data Protection Commission has ordered Meta (aka Facebook) to stop using SCC to send information about users from Europe to the US until it has thoroughly investigated the process.
Also read: Multikino presses advertisements under the pretext of personal data protection
In another high-profile case, the Austrian data protection authority found that the use of Google Analytics violates the GDPR, as it potentially shares user data with US intelligence agencies. Interestingly, the fine in this case, at least according to Austrian officials, should be imposed on the owner of the site that uses the Google tool, and not on the Google company.
This legal uncertainty means that, on the one hand, companies want to appeal against most of the penalties imposed due to the violation of the GDPR, and on the other hand, many EU countries exaggerate with their imposition, thus creating quite an expensive, legal mess. Experts are calling for a uniform and detailed interpretation of the GDPR and warn that the provisions in their current form will generate even more chaos and appeals in the coming years.