Data Protection – GDPR is No Joke

Further to our Summer 2018 article on the European Union’s General Data Protection Regulation (GDPR), we have now had a chance to see if the EU is actually enforcing it.  The conclusion:  You bet it is!  Indeed, fines imposed on the two dozen most culpable violators have exceeded $1.6 billion!

The largest one assessed so far, in 2021, was against Amazon for $877 million.  The reason?  Not sufficiently allowing or requiring its website users to agree to the use of cookies.  The next largest fine was against WhatsApp for $255 million, in its case due to insufficient data processing disclosure in its website privacy notice.  Google was whacked for $227 million, spread over three of its different business organizations, primarily for the same “cookie consent” reason.  We gather even more brazen violations of GDPR have been attempted also, like using individuals’ personal data for telephone marketing campaigns, and selling the data to third parties – to the culprits’ eventual serious financial dismay .

Other prominent companies sustaining GDPR fines were FaceBook, British Airways and Marriott.  In the case of the latter two their recordkeeping systems were hacked.  This brings up the whole other matter of data security, where the violation was not so much a question of ignoring the rules as, presumably, not dealing with the chance of a cyber-attack strongly enough.  Either way, violation of GDPR happened, and significant fines resulted.

So if you are, or even just possibly, subject to GDPR regulations, whether or not you are domiciled in the U.S. and do most of your work here, make sure your legal and IT resources routinely check on your data solicitation, usage and retention practices.  If you thought the IRS was scary, GDPR seems to be in a whole other league.