Aon | Professional Services Practice
Release Date: November 2020
Why should business leaders be concerned about GDPR fines?
Since the European Union’s General Data Protection Regulation (GDPR) came into force in May 2018, it has had a powerful impact on the international privacy landscape.
A New Era for Data Privacy
- Businesses and other organizations have been forced to design new privacy management programs, draft new privacy policies, appoint data protection officers and reassess their relationship with data privacy.
- Many governments have responded either by introducing new privacy legislation or amending existing laws to modernize their privacy regimes.
- The potentially significant fines that could result from GDPR violations – up to a maximum of €20 million or 4% of the company’s annual worldwide turnover for the preceding fiscal year, whichever is greater1 – have become a top concern for many business leaders.
- Since its inception, European national data protection authorities have imposed some 400 fines amounting to approximately €250 million2.
Notable GDPR Enforcement Actions
In July 2019, the UK’s Information Commissioner’s Office (ICO) announced fines of £183 million3 against British Airways and £99 million4 against Marriott International Inc. Both fines were the result of data breaches.
In October 2020, the ICO considerably reduced the fines. The British Airways fine was reduced by 89% to £20 million5. The Marriott fine was reduced by 81% to £18.4 million6. The ICO reportedly considered the adverse impact of the COVID-19 economic lock-down in making this decision.
Following these reductions, the highest monetary penalty to emerge since the GDPR’s entry into force is the January 2019 fine against Google imposed by the French data protection authority (CNIL)7 for a breach of transparency and information duties, as well as failure to obtain valid consent, related to the personalization of ads. The €50 million8 fine was confirmed on appeal in June 2020.
The Italian data protection authority has issued a total of €46 million in GDPR fines in 2020 alone, the highest of all EU member states during that time9. A €27.8 million10 fine against Italian telecommunications operator TIM was imposed in January 2020 mainly because of unlawful data processing and a non-compliant marketing strategy.
Considerable enforcement action has also been noted in Germany. In October 2020, Hamburg’s data protection authority11 announced a €35.3 million fine12 against H&M. The Swedish clothing retailer was penalized for the unlawful collection and storage of information pertaining to the personal lives of its employees.
Timeline of Notable Fines until October 2020
* First fine against an accounting firm
Notable GDPR Fines | May 25, 2018 to October 2020
On the Horizon
Despite the reductions in the British Airways and Marriott fines, the potential for large monetary penalties remains a very real risk for business leaders. The average monetary value of the top ten GDPR fines is over €20 million – the nominal threshold for large administrative fines as referred to by article 83 of the GDPR.
Given multiple ongoing investigations – notably including those being undertaken by Ireland’s Data Protection Commission – significant enforcement decisions may still be forthcoming. Aon will continue to monitor major developments relating to the enforcement of the GDPR and its overall impact on the data privacy landscape.
Aon's Cyber Solutions and DLA Piper have published the 3rd Edition of 'The Price of Data Security: A guide to the insurability of GDPR fines across Europe’.
2. GDPR Enforcement Tracker. Retrieved from https://www.enforcementtracker.com/?insights [October 2020]
7. Commission nationale de l'informatique et des libertés
11. Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI)
To discuss any of the topics raised in this article, please contact Rona E. Davis.
Rona E. Davis
Senior Vice President and Executive Director