Top 10 GDPR Fines in 2022

1. Instagram Meta Platforms, Inc. – €405.000.000

Ireland – An Coimisiún um Chosaint Sonraí.

Meta subsidiary Instagram has been fined a record amount by the Irish Data Protection Authority after an investigation, which began on September 21, 2020, following a third-party tip, reached its conclusion.

The company had allowed children between the ages of 13 and 17 to use business accounts. These allow access to the underage user’s email address and phone number. Furthermore, the accounts of minors were not set to “private” by default, but in some cases could be viewed by the public.

The fine is the second-highest penalty imposed for violations of the General Data Protection Regulation after a EUR 746 million fine against Amazon.

2. Clearview AI Inc. – €20.000.000

Italy – Garante per la protezione dei dati personali

The present fine is related to biometric profiles that the U.S. company had unlawfully made of individuals in Italy. The Italian data protection authority had started investigating Clearview AI after previously receiving several complaints against the fine recipient.

Clearview AI offers a service that uses artificial intelligence to create biometric profiles of individuals. The data required for this is extracted from photos of the individuals concerned. To this end, the company maintained a database of over 10 billion images of faces gathered through web scraping from public internet sources (including social media and online videos) from around the world. The resulting profiles can be additionally enriched with information linked to these images (e.g. tag, locations, websites).

The Authority’s investigation revealed that, contrary to statements to the contrary, the fine recipient also used the said service to evaluate individuals on Italian territory (both Italian citizens and other Italian residents). According to the Authority, the personal data held by the company were unlawfully processed in this context, as the interest of the U.S.-based company did not constitute an adequate legal basis.

Furthermore, Clearview AI had processed the data for purposes other than those for which the data subjects had provided them online. In addition, no deletion periods had been defined for the data. The authority considered this to be a violation of the principles of purpose limitation and storage limitation. The data subjects had not been properly informed about the processing of their data.

The amount of the fine consists of EUR 3.8 million each for violations of Articles 5,6 and 9 of the GDPR, EUR 2 million each for violations of Articles 12, 13, 14 and 15 of the GDPR, and EUR 600 thousand for a violation of Article 27 of the GDPR.

In addition to the fine, the authority banned the company from further processing personal data under its facial recognition system. Likewise, the authority ordered the company to delete the data of individuals in Italy and appoint a representative in the EU.

3. Clearview AI Inc. – €20.000.000

Greece – Data Protection Authority of Greece

The present fine is related to biometric profiles that the U.S.-based company had unlawfully made of individuals in Greece.

Clearview AI offers a service that uses artificial intelligence to create biometric profiles of individuals. The data required for this is extracted from photos of the persons concerned. To this end, the company maintains a database of several billion images of faces gathered through web scraping from public internet sources (including social media and online videos) from around the world. The profiles created in this way can be additionally enriched with information linked to these images (e.g. tag, locations, websites).

The Greek Data Protection Authority had started investigations against Clearview AI after the non-profit organization “Homo Digitalis” filed a complaint on behalf of a data subject. The reason for the complaint was the failure to properly follow up on a request for information from the data subject.

In the course of its investigations, the authority examined the company’s data protection practices beyond the scope of the complainant’s request. In the process, the authority’s investigation revealed that the recipient of the fine also used the service described above to evaluate individuals on Greek territory. According to the Authority, the personal data in the possession of the U.S. company were unlawfully processed in this context, as there was no legal basis for doing so. Moreover, Clearview AI had neither properly informed the data subjects about the processing of their data nor appointed a representative in the EU.

In addition to the fine, the authority banned the company from further processing personal data of individuals in Greece. Likewise, the authority ordered the recipient of the fine to comply with the complainant’s request for information and delete the data of individuals in Greece.

The UK and Italian data protection authorities had also previously imposed fines of EUR 9,000,000 and EUR 20,000,000 respectively on Clearview AI.

4. Clearview Al Inc. – €20.000.000

France – CNIL

The present fine is related to biometric profiles that the U.S.-based company had unlawfully made of individuals in France.

Clearview AI offers a service that uses artificial intelligence to create biometric profiles of individuals. The data required for this is extracted from photos of the persons concerned. To this end, the company maintains a database of several billion images of faces gathered through web scraping from public internet sources (including social media and online videos) from around the world. The profiles created in this way can be additionally enriched with information linked to these images (e.g. tag, locations, websites).

The French data protection authority CNIL had initially issued a warning notice against the company after receiving an increasing number of complaints from private individuals. In May 2021, the Privacy International association also brought this practice to the attention of CNIL. The warning letter asked the company to stop collecting and using data of individuals on French territory in the absence of a legal basis, and to facilitate the exercise of data subjects’ rights and comply with requests for access and deletion made. As the company did not respond to the reminder within the two-month deadline, the CNIL decided to impose a fine of EUR 20 million.

In addition, given the significant risks to the fundamental rights of data subjects resulting from the processing carried out by the company, CLEARVIEW AI was again expressly prohibited from processing data of individuals in France without a legal basis. In addition, the CNIL ordered to delete the data already collected from these individuals within two months. The company faces an additional fine of EUR 100,000 per day of delay.

The UK, Italian and Greek data protection authorities had also previously imposed fines of EUR 9,000,000 and EUR 20,000,000 respectively on Clearview AI.

5. Meta Platforms Ireland Limited – €17.000.000

Ireland – An Coimisiún um Chosaint Sonraí

Meta Platforms Ireland Limited is the Irish offshoot of the Meta Group, the parent company of Facebook, Instagram and WhatsApp, among others. In the past, Meta Platforms had operated under the name Facebook Ireland Limited.

The Irish data protection authority had launched investigations into Meta Platforms after the company reported twelve data breaches to it between June 7 and December 4, 2018.

As a result, the authority found that the company had breached its accountability obligations. For example, the fine recipient was unable to demonstrate what security measures it had implemented to protect users’ personal data in the EU in connection with the twelve data breaches.

As the processing carried out by Meta Platforms was a cross-border processing, all other European data protection authorities were involved in the decision pursuant to Art. 60 GDPR.

6. Google LLC – €10.000.000

Spain – Agencia española protección datos

The present fine is the result of a multi-year investigation by the Spanish data protection authority, which was triggered by the complaints of two data subjects. The complainants had complained that the technology group transferred personal data to the Lumen Project.

Lumen is a project of the Berkman Klein Center for Internet & Society at Harvard University in Cambridge, Massachusetts. It was initiated in 2002 to collect requests for removal of content from websites inside and outside the U.S. and to make the resulting data available to researchers and other interested parties.

On the various platforms and products of GOOGLE LLC, which include, for example, the Google search engine, the web video portal YouTube, the cloud service Google Drive or the email service Gmail, it can occasionally happen that defamation or content prohibited by the courts can be found there in addition to personal data. To enable those affected by this to remove content, GOOGLE LLC provides a variety of contact and complaint forms.

The recipient of the fine had made it a condition for the use of the forms that copies of deletion requests made via these forms be transmitted to Lumen, if necessary, and published there – after removal of contact data – on the website lumendatabase.org. Data subjects were informed about the transfer, but were not able to object to it. Against this background, the data protection authority considered the transfer of data to the Lumen project to be unlawful. Furthermore, it found that the recipient of the fine had not properly enabled data subjects to exercise their right to erasure.

In determining the amount of the fine, aggravating factors were taken into account that the transfer to a third party in a third country took place without data subjects being able to object to it, as well as that it occurred over a long period of time, affected a large number of individuals, and involved a large amount of personal data, some of which was sensitive. Likewise, it was assessed negatively that GOOGLE LLC had not implemented adequate personal data processing measures around removal requests and that the data protection breach was the result of negligence on the part of the fine recipient. Regarding the latter, the authority stated that the recipient of the fine was aware of the requirements of the GDPR, especially in connection with transfers to third parties, and as a company that systematically and continuously processes personal data as part of its services, it was required to take special care.

The amount of the fine is composed proportionately of EUR 5,000,000 due to a violation of Art. 6 GDPR and EUR 5,000,000 due to a violation of Art. 17 GDPR.

7. Clearview Al Inc. – €9.000.000

United Kingdom – Information Commissioner’s Office

The present fine is related to biometric profiles that the US company had unlawfully made of individuals in the UK.

Clearview AI offers a service that uses artificial intelligence to create biometric profiles of individuals. The data required for this is extracted from photos of the persons concerned. For this purpose, the company maintains a database with currently around 20 billion images of faces, which were collected by web scraping from public Internet sources (including social media and online videos) from all over the world. The resulting profiles can be additionally enriched with information associated with these images (e.g. tag, locations, websites).

It is not known how many of the profiles created by Clearview AI were attributable to individuals in the United Kingdom. The fine recipient had told the UK’s data protection authority, the ICO, that it was unable to provide this information. However, since the company’s service had been used by clients in the United Kingdom in the meantime as part of a test phase, the authority assumed that there were a large number of British data subjects. For example, the authority was aware that at least five UK law enforcement agencies had used services from Clearview AI.

Centrally, the ICO considered that the processing of individuals’ data in the UK in connection with biometric profiling had taken place without a legal basis and was therefore unlawful. Further, Clearview AI had breached the principle of retention limitation by not defining deletion periods for the data. As the authority noted, there was no indication of the conditions under which and whether data, once collected, was deleted again at all. On the contrary, a constant growth of the database was recorded. Despite the high risk for data subjects, no data protection impact assessment had been carried out.

Clearview AI had also not properly informed data subjects about the processing of their data. The only way for data subjects to obtain information was to contact the company on their own initiative. To do this, they first had to send the company a photo of themselves, which was then checked against the database. In the view of the data protection authority, the recipient of the fine had thus not only violated its duty to provide information, but had also made it more difficult for the data subjects to exercise their rights to information, correction, deletion, objection and not to be subjected to a decision based exclusively on automated processing.

In addition to the fine, the ICO banned the company from further collecting publicly available online data of individuals in the United Kingdom. Likewise, the authority ordered the company to delete the data it had already collected from them.

The Italian data protection authority had already fined Clearview AI EUR 20 million for the unauthorized creation of biometric profiles of individuals in Italy on February 10, 2022.

8. REWE International AG – €9.000.000

Austria – Data Protection Authority

According to a report in Salzburger Nachrichten, the Austrian data protection authority has imposed a fine of EUR 8 million on grocer Rewe. The reason is data protection violations identified by the authority at jö Bonus Club, the joint customer loyalty program of Rewe, OMV and other partners.

The fine notice is not yet legally binding. Rewe announced its intention to appeal the decision. In this regard, the company stated that jö Bonus Club is operated by Unser Ö-Bonus Club GmbH, a legally and economically independent Rewe subsidiary, so that the parent company is not responsible for the data processing carried out as part of jö Bonus Club. The data protection authority had already imposed a fine of EUR 2 million on Unser Ö-Bonus Club GmbH in August 2021 (not yet legally enforceable).

Further details on the case and the exact violations are not yet known.

9. Cosmote Mobile Telecommunications S.A. – €6.000.000

Greece – Data Protection Authority Greece

The present fine is related to a data breach that the company had reported to the Greek Data Protection Authority.

A hacker had managed to penetrate COSMOTE ΚΙΝΗΤΕΣ ΤΗΛΕΠΙΚΟΙΝΩΝΙΕΣ Α.Ε.’s systems and siphon off data. The attacker then leaked a file containing call data of COSMOTE customers from January 9 to May 9, 2020. The dataset could be used to extract, among other things, the telephone numbers of call participants, the age, gender, and contract information of COSMOTE customers, as well as the duration and time of the call. In total, 4,792,869 COSMOTE customers and 6,939,656 people who had been called by them during the period in question were affected by the incident.

As the investigation by the data protection authority revealed, the fine recipient had not properly anonymized the data contained in the compromised data set, had incorrectly conducted the data protection impact assessment, and had also not properly informed the data subjects about the processing of their data.

Furthermore, the COSMOTE ΚΙΝΗΤΕΣ ΤΗΛΕΠΙΚΟΙΝΩΝΙΕΣ Α.Ε. had not properly coordinated the processing of the data with the Οργανισμό Τηλεπικοινωνιών της Ελλάδος Α.Ε.., which participated in the security infrastructure at the fine recipient, regulated. During the course of the investigation, both companies stated that they worked together on systems. However, there was neither an agreement on joint responsibility nor a contract on commissioned processing.

The amount of the fine is composed proportionately of EUR 1.3 million for a violation of Article 35 (7) of the GDPR, EUR 1.95 million for a violation of Article 5 (1) (a) and Articles 13 and 14 of the GDPR, EUR 1.3 million for a violation of Article 25 (1) of the GDPR, and EUR 1.3 million for a violation of Article 5 (2) and Articles 26 and 28 of the GDPR.

Οργανισμό Τηλεπικοινωνιών της Ελλάδος Α.Ε. was fined EUR 3.25 million in the same proceedings.

10. Interserve Group Limited – €5.033.000

United Kingdom – Information Commissioner’s Office

The present fine is related to a data breach that the construction company had reported to the UK Data Protection Authority (ICO) in accordance with Article 33 of the GDPR.

An employee of Interserve Group Limited had opened a phishing email that contained a zip file with malware. The company’s virus scanner removed some of the malware, but the hackers still had access to the employee’s computer. This access infected additional servers and systems, uninstalled the company’s anti-virus solution, and compromised the personal data of up to 113,000 Interserve employees. This included phone numbers, bank account information, Social Security numbers, as well as salary information and other sensitive data, in addition to names.

The agency’s investigation found that the company had failed to implement technical and organizational measures to ensure a level of security commensurate with the risk to data subjects. For example, the fine recipient had used an outdated and insecure operating system on its servers, the virus protection was not up to date, no vulnerability tests had been carried out, the aforementioned employee had not received any data protection training, and in addition to the outdated security protocols, the virus scanner notification had not been investigated further.

In assessing the amount of the fine, mitigating consideration was given to the fact that the company had cooperated extensively with the ICO and had made significant financial investments to improve its security measures after the incident.