The passage of the General Data Protection Regulation (GDPR) made it clear that the European Union (EU) is extremely serious about consumer privacy and that protecting EU citizens’ personal information is a top priority. The potential for massive fines that can significantly harm operational capabilities and global reputation has put many organizations on edge. The GDPR authorizes penalties amounting to the greater of 20 million Euros or up to four percent of an organization’s global revenue. Now that the law has been active for over three years, enforcement trends are emerging and showing that the data protection authorities in EU member states are not afraid to impose heavy fines when violations occur. As such, organizations need to understand the global effects this activity can cause and review their privacy compliance plans to address any current gaps that may exist.

Recent Fines

On July 16, 2021, the Luxembourg data protection supervisory authority levied a fine against Amazon for 746 million Euros and requested a change in certain business practices relating to consumer data processing. This fine is by a landslide the largest to date, with the previous record high being 50 million Euros against Google in 2019 for targeted advertising practices. The recent Amazon fine is almost fifteen times more that the 2019 record high penalty.

The Amazon fine stemmed from a 2018 complaint filed by a French privacy rights group that alleged Amazon does not base their advertising practices on free consent in violation of the GDPR’s personal data processing requirements. The issues stemmed from how Amazon used consumer data for targeted advertising. Although the claim originated in France, the GDPR allows one lead supervisory authority to handle investigations when an organization operates in multiple EU countries. Amazon designated the Luxembourg authority, so it took the lead on resolving this complaint with cooperation from the Data Protection Authority in France. Amazon has expressed their intent to appeal, arguing that there has not been a data breach or third-party disclosure. Until that process is exhausted no more details will surface about the allegations, as there is a law in Luxembourg prohibiting public disclosure until the appeals process concludes.

In other big news, on Sept. 2, 2021, Ireland’s Data Protection Authority levied a significant fine against WhatsApp for 225 million Euros, which is four and a half times more the 2019 fine against Google. Initially, the fine was supposed to be 50 million Euros, but a handful of other data protection authorities referred the matter to the European Data Protection Board asking for an increase due to improper penalty calculations. This decision was the result of a three-year investigation about whether WhatsApp provided enough detail to consumers in their privacy policies about their data processing practices. WhatsApp also intends to appeal this penalty.

Influencing Global Privacy

Many countries have followed the EU’s lead and strengthened their consumer privacy frameworks through amendments, new legislation, updated guidelines, and enforcement changes. With the emerging trend of tough GDPR enforcement and high penalties, it will be interesting to see how other enforcement agencies around the world respond. While no other law currently matches the GDPR’s high ceiling for penalties, other countries like Brazil do allow for significant fines. As GDPR enforcement continues to materialize, organizations should closely monitor if other laws are amended to impose higher fines for privacy violations or if stricter enforcement ensues around the globe.

Also pay close attention to the anticipated Amazon and WhatsApp GDPR appeals, as previous penalties have been significantly reduced on appeal. What happens after a decisions is challenged is an important element of the GDPR-fine trend, as it will continue to provide insight into what privacy practices are serious enough to sustain groundbreaking penalties and guide future decisions by data protection authorities. Regardless, the fact that less aggressive privacy enforcers like Ireland have now taken a stronger stance illustrates that stricter enforcement will likely continue regardless if there are fine reductions on appeal.

In light of these recent decisions, organizations subject to the GDPR or any other privacy law should take a closer look at their privacy compliance efforts. The heavy enforcement against big tech companies shows that data protection authorities are not afraid to go after prominent organizations. While a high fine will not likely devastate larger organizations, any requirements to change processing practices can have a greater affect requiring a lot of resources. Also, for smaller companies, fines like this can be devastating.

Chances are if an organization’s policies and practices reflect compliance under the GDPR, the same will be true for obligations under most other privacy laws. However, no two laws are the same so it is still important to thoroughly understand any unique obligations and tweak privacy compliance plans accordingly. Many organizations, including law firms and corporate legal departments, have created new roles aimed at data privacy or partnered with providers to assist with compliance efforts. Maintaining sufficient internal privacy practices, carrying out compliance obligations, and participating in investigations can be time consuming and carry serious consequences if not handled appropriately. This makes creating privacy roles and entering into trusted partnerships a top priority.

For more information on the status of U.S. privacy laws, click here.