GDPR 5 years on: Spain, Ireland lead in issuing fines; Meta hit hardest

Five years ago – May 12, 2018, in fact – the Bulgarian Personal Data Protection Commission fined a domestic bank €500 (US$536) for calling a client about the unpaid bills of neighbor.

The client invoked the right to be forgotten but did not respond, and an action under a new European Union law was initiated.

It was the first time the General Data Protection Regulation had been invoked.

Ultimately, the commission found that the bank had not gotten consent to process the client’s data for the matter.

That was the first but not the smallest fine levied under the GDPR, according to a research tool published by trade publication Privacy Affairs. The smallest was €28 ($30) on an entity in Hungary three years ago.

(Privacy Affairs says not all GDPR fine information is public. Its data only reflects published data.)

Coincidentally, the largest binding GDPR penalty ever issued came just this month, the law’s fifth anniversary. The Data Protection Authority of Ireland is demanding Meta Platforms pay €1.2 billion ($1.29 billion) for violating international data transfer requirements, according to technology research and consulting firm Forrester.

Meta’s fine (which was not its only final, binding GDPR fine) was No. 1701.

Considering that the total sum fined under the GDPR over its lifetime is €4 billion ($4.29 billion), the average fine is €2.4 million ($2.57 million).

Facebook’s parent company appears twice among the top five penalties received.

No. 2 is Amazon Europe Core (€746 million), No. 3 is Meta Ireland (€265 million), No. 4 is WhatsApp (€225 million) and No. 5 is Google (€90 million).

Generally considered one of the most consequential multinational civil and criminal regulations, the GDPR has lived up to that expectation, putting it in the same league as EU environmental law.

Spain has issued the highest number of finalized fine, 594, which is almost three times the second most fining nation, Italy, with 244 fines. Greek regulators have been busy as well.

It is worth noting that TikTok has been fined only €15 million ($16 million) in two cases, Privacy Affairs says

The top five nations in terms of levying finalized fines leads with Ireland (€2.5 billion ($2.68 billion)), Luxembourg (€746 million ($799 million)), Italy (€144 million ($154 million)), France (€293 million ($314 million)) and the United Kingdom ($75 million ($80 million)).

Ireland has fined more than just businesses. It has found fault with, for example, a CCTV network in the city of Limerick.

Article Topics

biometrics  |  data protection  |  EU  |  GDPR  |  regulation