Amazon was hit with the largest GDPR fine on record in July 2021, at £636m. It’s so big that it’s double the cost of all previous fines combined.
In May 2018 10,000 people filed a group complaint against Amazon via a French privacy rights group. This led to an investigation, which found Amazon’s advertising targeting system didn’t use proper consent. But details of the case haven’t been made public, because local laws prevent this from being shared until the appeals process has been completed.
When an organisation is active across multiple countries within the EU, it can choose one country for complaints to be funnelled through, where it’s head office is usually based. Known as a one-stop-shop, this is designed to allow issues to be addressed consistently across the EU.
This one-stop-shop system has been criticised by many. “It’s not working,” said Romain Robert, a program director at European data rights group NYOB. He claims the system has resulted in complaints getting lost, facing lengthy delays, or suffering breakdowns in communication. “The procedure is so different in each member state that you have to know where you go,” he explained.
In October 2021 Amazon launched an appeal against the fine. It claims “there has been no data breach, and no customer data has been exposed to any third party.”
Whatsapp was fined £118.8m by Ireland’s Data Protection Commission for failing to tell Europeans how their personal data is collected and used, and how it’s shared with Facebook (now Meta). Whatsapp is planning to appeal the fine. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,” a spokesperson said.
Since Google’s EU operations are run from Ireland, a GDPR breach should have been dealt with in Ireland, according to the one-stop-shop system. However, this issue relates to the ePrivacy Directive, not the GDPR, which means that regulators can take direct action in their jurisdiction.
During the same decision, another fine was imposed on California-based Google LLC for £47m for the same infringement – but this time it was for its search website.
Facebook was also fined by the CNIL at the start of 2022 for failing to get proper cookie consent from users. The issue was that refusing cookies was much more complicated than accepting them – and the only option shown to users was ‘accept cookies’ even when it appeared that a user was refusing them.
This lack of clarity “generates confusion and that the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it,” the CNIL said.
Clothing retailer H&M was fined by the Data Protection Authority of Hamburg, Germany, for breaches in how it handled the data of its employees. The company recorded return-to-work meetings that were required after sick or annual leave, and the recordings were accessible to over 50 managers at the company. This gave managers “a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs” and they used this information to make performance evaluations or decisions about employment.
Loading More Content