GDPR – 6 Actions That Made it Real in 2019

In the wake of recent fines levied against British Airways, Marriott, and Facebook, companies are starting to take General Data Protection Regulation security more seriously.

1. NOYB Files Complaint Against Eight Tech Firms

At least eight tech firms were named in a complaint filed by the privacy group NOYB (None Of Your Business) for allegedly violating the EU’s regulations. Max Schrems, who chairs NOYB, said none of the companies fully complied with GDPR. While many organizations set up automated systems to respond to access requests, he says, they often don’t remotely provide the data that users have a right to see. That can cause structural violations of users’ rights because these systems are designed to withhold relevant information, he adds. Companies named in the complaint, which was filed in Austria on behalf of 10 users, include Apple, Amazon, Netflix, Spotify, and YouTube.

2. French Authorities Hit Google with $57M Fine

The French were the first to levy a major General Data Protection Regulation fine against a US tech company in January, hitting Google with a $57 million penalty. The fine was made by the Commission Nationale de l’Informatique (CNI), which said Google did not fully disclose how it gathers and uses the personal information of its users. CNI also said Google did not secure the proper consent from users to provide them with personalized ads.

3. Germany Issues 41 GDPR Fines

Published reports came out in February that German authorities had levied 41 related fines against German companies in relation to General Data Protection Regulation as of mid-January. The highest fine was 80,000 euros ($89,700) to a company that let health-related data be publicly seen. Another large fine of 20,000 euros ($22,422) was imposed on the chat portal Knuddels.de by the State Data Protection and Freedom of Information Officer for Baden-Württemberg. Knuddels.de was hit for a 2018 data breach in which hackers captured personal data by using passwords allegedly saved in plaintext on the company server.

4. British Airways Faces $229M GDPR Fine from UK

Momentum on fines picked up this month as British authorities levied a $229 million fine against British Airways. The UK’s Information Commissioner’s Office (ICO) said it intended to levy the penalty for the company’s security failings, which led to a half-million customers’ information being harvested by a fraudulent site. The UK’s information commissioner also warned that other companies could face similar penalties unless they better protect the information of UK citizens.

5. Marriott International Also Faces Large GDPR Fine from UK

The day after the British Airways fine, the UK’s ICO also said it planned to fine Marriott International up to $124 million for General Data Protection Regulation violations. The fine was in response to the massive Starwood Hotels breach that allegedly affected more than 500 million guests around the world. Marriott indicated it would cooperate with the investigation, and the ICO said after a hearing by Marriott and other interested parties it will determine a final fine.

6. US FTC Reportedly Settles with Facebook for $5B over Cambridge Analytica Scandal

The Federal Trade Commission (FTC) and Facebook reached a settlement about 10 days ago over the Cambridge Analytica privacy scandal that occurred during the 2016 presidential election, according to reports in The Wall Street Journal and other news sites. The $5 billion fine ranks as the largest against a tech company in FTC history — considerably larger than the $22.5 million hit Google with in 2012, also for issues with privacy practices.

“Facebook has a much larger challenge with data-sharing practices, including accounting for what data is collected, why is it collected, and who it is sold to,” says Steve Schlarman, GRC strategist at RSA. “This is different and much more complex than a vulnerability on a commerce website – for example, how the British Airways breach seems to have occurred. Facebook’s challenges extend into their data-sharing ecosystem, which we saw with the Cambridge Analytica scenario, a third-party cyber-risk.”

The FTC approved the fine along party lines, with three Republicans voting “yes” and two Democrats voting “no.” Congressmen from both sides of the aisle said the fine was a “slap on the wrist,” calling instead for more structural reform. Analysts pointed out that the $5 billion fine was one month’s net income for Facebook, more money than most companies will ever see.