Module 17 2024

05/12/2024

• GDPR – Fines (Article 83)

• Fines of up to £17.5 million under the UK GDPR, €20 million or 4% of annual global turnover under the EU GDPR can be issued for infringements of articles: i. 5 (data processing principles); ii. 6 (lawfulness of processing); iii. 7 (conditions for consent); iv. 9 (processing of special categories of data); v. 12 – 22 (data subjects’ rights); and vi. 44 – 49 (data transfers to third countries or international organisations)

169

• EU GDPR – Fines

• Prior to August 2021, largest fine on record was €50 million levied against Google in 2019

• Current top 5 fines across the EU: 1) Meta - €1.2 billion (2023) - transfer of EU personal data to US without adequate data protection (NB. This fine alone is more than all fines prior to January 2022 combined) 2) Amazon – €746 million (2021) – cookie consent violations 3) Meta - €405 million (2022) - inappropriate lawful bases for processing children’s personal data 4) Meta - €390 million (2024) - inappropriately enforcing consent 5) TikTok - €345 million (2023) - GDPR violations • Four of the above fines were imposed by one Data Protection Authority (Irish DPA)

• Of the top 20 EU GPDR fines, seven were imposed on Meta or Meta-owned companies

170

85