4 Biggest GDPR Fines of 2020 (So Far)

  • 16 July 2020

Since the GDPR (General Data Protection Regulation) was introduced in 2018, countless organizations have made headlines for violations. British Airways, Marriot International Hotels, Austrian Post…but what about this year? 

Keep reading to find out how many fines have been handed out in 2020, which organizations have been slapped with the biggest fines, why, and how the violation could have been prevented. 

Key findings include:

  • Google received the biggest fine so far in 2020 – €50 million ($56.6 million)
  • Over 330 fines have been handed out for GDPR violations in the first seven months of 2020
  • The total amount of fines issued so far in 2020 exceeds €153 million
  • Between 2018 and 2019, the average number of fines issues per month increased by 260%
  • March 2020 saw the highest number of fines issued in a single month since the GDPR was introduced – a total of 36
  • Only 20% of US, UK, and EU companies are fully GDPR compliant
  • Misdirected emails have been the primary cause of data loss reported to the Information Commissioner’s Office (ICO)

More and more GDPR fines are being issued 

As of July 2020, around 330 fines have been handed out for GDPR violations. Based on trends from the last 24 months, we can expect this number to continue rising. 

Between July 2018 and June 2019, an average of 5 fines were handed out each month. But, between July 2019 and June 2020, an average of 18 fines were handed each month. That’s a 260% increase. And, with 36 fines issued for non-compliance in March 2020 alone, it’s clear that the EU authorities take information security and compliance very seriously. But, do organizations? Maybe not…

Research suggests that only 20% of US, UK, and EU companies are fully GDPR compliant and – worse still – a whopping 30% of companies have yet to even start their GDPR compliance initiatives. Ensuring compliance is key, though, especially when organizations can be fined up to €20 million (just short of $23 million) or 4% of annual global turnover (whichever is larger) for a violation.

The biggest GDPR fines of 2020 so far

While we’re just over halfway through the year, we have already seen fines that shatter records set in previous years. Here are the biggest GDPR fines of 2020 so far:

1. Google – €50 million ($56.6 million) 

Although Google’s fine is technically from last year, the company lodged an appeal against it. Last month, however, judges at France’s top court for administrative law dismissed Google’s appeal and upheld the eye-watering penalty. 

Google was hit with this GDPR fine – the largest one to date – for multiple infractions under Articles 5, 6, 13, and 14. While each violation is slightly different, the long and short of it is that Google wasn’t transparent in divulging how they harvested and used data for ad targeting. 

How the violation(s) could have been avoided: Google should have provided more information to users in consent policies and should have granted them more control over how their personal data is processed.

2. TIM – €27.8 million ($31.5 million)

Just two weeks into the new year on January 15, Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years. 

TIM’s infractions include a variety of unlawful actions, most of which stem from an overly-aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.  

How the violation(s) could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities.  

3. Google – €7 million ($7.9 million)

It has not been a good year for Google. In March, the Swedish Data Protection Authority of Sweden (SDPA) fined Google for neglecting to remove a pair of search result listings under Europe’s “right to be forgotten” rules under the GDPR, which the SDPA ordered the company to do in 2017. 

How the violation(s) could have been avoided: Google should have fulfilled the rights of data subjects, primarily their  right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.” 

You can find more information about how to comply with requests for erasure from the ICO here

4. Unknown – €725,000 ($821,600)

In April, the Dutch Data Protection Authority handed out its largest fine to date to a so-far unknown company for unlawfully using employees’ fingerprint scans for its attendance and timekeeping records. The violation took place over the course of 10 months. Note: Under the GDPR, biometric data like fingerprints are classified as sensitive personal data and it is subject to more stringent protections. 

How the violation(s) could have been avoided: The company should have had a valid, lawful reason to collect employees’ fingerprints. They should have also had technical measures in place to process the data and a clear process for deleting the data. 

What else can organizations be fined for under GDPR? 

While the biggest fines so far in 2020 involve failure to remove personal data when requested by EU citizens and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur. 

In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks.

How does Tessian help organizations stay GDPR compliant?

“Tessian exceeded the expectations of our GDPR team. You simply cannot beat seeing for yourself what the product is capable of against your own organization’s data.”
Mark Elias IT Infrastructure Manager at Coastal Housing

Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email

Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32).

To learn more about how Tessian helps with GDPR compliance, you can read our customer stories or book a demo. Or, for information about other data privacy legislation, check out our compliance hub