Gdpr Violations Prosecutions
1. Introduction
The General Data Protection Regulation (GDPR), enforced from May 25, 2018, is a landmark EU regulation protecting personal data and privacy. GDPR applies to all organizations processing personal data of EU residents, regardless of where the organization is located.
Key objectives:
Protect individuals’ privacy rights
Harmonize data protection laws across the EU
Impose significant penalties for violations to deter misuse of personal data
Prosecution under GDPR:
GDPR allows regulatory enforcement by Data Protection Authorities (DPAs) and, in some jurisdictions, criminal prosecution under national law.
Violations can lead to:
Administrative fines (up to €20 million or 4% of global turnover)
Corrective measures, audits, and restrictions on processing
In some cases, criminal liability under local law for severe breaches
2. Key Provisions Relevant to Prosecution
Article 5: Principles of data processing (lawfulness, transparency, purpose limitation)
Article 6: Lawful basis for processing
Article 32: Security of processing
Articles 33-34: Breach notification obligations
Article 83: Administrative fines and penalties
Note: GDPR enforcement is primarily administrative, but serious breaches can lead to prosecution under national criminal laws.
3. Case Law and Enforcement Actions
Below are seven significant GDPR violation cases showing prosecution and enforcement:
Case 1: Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, 2014
Issue: Right to erasure / “right to be forgotten”
Facts:
Costeja González requested removal of outdated personal data from Google search results. Google initially refused.
Holding:
Court of Justice of the European Union (CJEU) ruled that individuals can request deletion of personal data if it is inaccurate, inadequate, irrelevant, or excessive.
Established precedent for enforcing GDPR principles like transparency and purpose limitation.
Impact:
Major multinational companies must implement procedures for data erasure requests, and failure can lead to fines.
Case 2: British Airways GDPR Fine, 2019-2020
Issue: Data breach and inadequate security measures
Facts:
Hackers accessed personal and financial data of ~500,000 customers.
BA failed to implement adequate security measures under Article 32 GDPR.
Outcome:
UK Information Commissioner’s Office (ICO) proposed a £183 million fine (later reduced to £20 million due to COVID-19 considerations).
Importance:
Demonstrates that security breaches due to negligence can lead to massive fines under GDPR.
Case 3: Marriott International GDPR Fine, 2020
Issue: Data breach due to inadequate data protection
Facts:
Marriott failed to protect personal data of 383 million guests worldwide.
Breach traced back to former Starwood IT systems, which were compromised.
Outcome:
UK ICO fined £18.4 million for GDPR violations.
Significance:
Companies acquiring other businesses must ensure compliance across all systems to avoid liability.
Case 4: H&M GDPR Fine, 2020
Issue: Excessive data collection and employee surveillance
Facts:
H&M’s service center in Germany collected extensive personal data about employees’ family, health, and personal life.
Outcome:
Hamburg Data Protection Authority fined €35.3 million.
Importance:
Violates GDPR principles of purpose limitation and data minimization.
Employers must limit employee data collection strictly to necessary purposes.
Case 5: Google LLC GDPR Fine (France, CNIL), 2019
Issue: Lack of transparency and consent for personalized ads
Facts:
CNIL investigated Google for failing to provide clear information on how personal data was processed for ads.
Outcome:
Google fined €50 million for GDPR violations (Articles 12, 13, 14, 7).
Importance:
Highlights requirement for clear consent mechanisms and transparency under GDPR.
Case 6: WhatsApp GDPR Fine (Ireland, DPC), 2021
Issue: Data sharing with parent company (Facebook) without proper transparency
Facts:
WhatsApp’s privacy policies were unclear about how data was shared with Facebook entities.
Outcome:
Irish Data Protection Commission fined €225 million.
Importance:
Demonstrates GDPR extraterritorial enforcement and accountability for multinational tech companies.
Case 7: Italian DPA Fine on TIM, 2021
Issue: Unauthorized marketing communications
Facts:
TIM, an Italian telecom operator, sent promotional messages without proper consent from customers.
Outcome:
Italian Data Protection Authority imposed a fine of €27.8 million.
Importance:
Shows GDPR enforcement covers direct marketing violations and consent rules (Articles 6, 7).
4. Key Takeaways
GDPR violations can be administrative or criminal:
Administrative fines are most common.
National criminal law may be invoked for deliberate or reckless misuse of personal data.
Major categories of prosecution/enforcement:
Data breaches and inadequate security
Unauthorized data sharing
Lack of transparency or consent
Excessive collection of personal data
Influence of ECJ/CJEU jurisprudence:
Decisions like Google Spain clarify individual rights and set the standard for enforcement.
Companies must implement robust compliance:
Privacy policies, breach notification procedures, and security audits are mandatory.
GDPR applies extraterritorially:
Non-EU companies processing EU residents’ data can face fines and prosecuti
RELATED Blog
comments