What are the heavy fines imposed on companies violating European obligations on the protection of personal data based on? Close-up on a mechanism that is becoming more and more expensive for Tech companies.
The total amount of penalties imposed by European supervisory authorities on companies for non-compliance with GDPR was 2.92 billion euros in 2022, according to a study by DLA Piper. This is much more than in 2021, when the total amount of fines amounted to 1.3 billion euros.
Ireland tops the chart of penalized countries with 5 fines imposed, which represent a total amount of more than one billion euros. Among the companies that have been subject to these financial sanctions is Instagram, and more specifically its parent company, Meta Platforms Ireland Limited (Meta IE), which in September 2022 received a record fine of 405 million euros, i.e. the second highest fine since GDPR’s entry into force.
The triggers were as follows: on the one hand, the public disclosure, by Instagram, of e-mail addresses and/or telephone numbers of children using an Instagram business account and, on the other hand, a public setting, by default, for children’s personal accounts on Instagram, during the survey period.
“By adopting this binding decision, the European Data Protection Board (EDPB) sends a clear message to companies targeting children that they must be much more careful. Children deserve special protection with regard to their personal data,” said Andrea Jelinek, President of the EDPB. This body is behind the binding decision that forced the Irish Data Protection Commission (DPC) to review its initial copy in this case.
Violation of GDPR articles as the basis for financial sanctions
When a fine is imposed, the national supervisory authority (or the EDPB when it intervenes), systematically invokes the violation of certain articles of GDPR. In the case of Instagram, one of the fundamental pillars of European Union data protection law, namely the lawfulness of processing within the meaning of GDPR Article 6 (FR) was in the balance. The EDPB challenged Instagram’s (Meta IE) right to use “performance of contract” and “legitimate interest” as legal bases for data processing.
As part of another fine, this time pronounced by the CNIL against the company Discord Inc. (voice over IP and instant messaging service) in November 2022 for an amount of 800,000 euros, several other breaches of the obligations of GDPR which are taken into account, in particular in terms of retention periods and security of personal data.
The breaches penalized relate to the obligation to define and respect a data retention period adapted to the objective sought (article 5.1.e of GDPR), the obligation to inform (article 13), to guarantee the protection default data (Article 25.2), to ensure the security of personal data (Article 32) and to carry out a data protection impact assessment (Article 35).
The amount of this fine was decided with regard to the breaches identified, the number of people concerned, but also taking into account the efforts made by the company to comply throughout the procedure and the fact that its business model is not based on the exploitation of personal data.
Sanctions taken following formal notices that remained unanswered
In another case, the CNIL imposed a fine of 20 million euros against Clearview AI.This company sucks up photographs from countless websites, including social media, and then markets access to its database of people images in the form of a search engine where an individual can be searched forusing a photograph.
The CNIL has ordered the company Clearview AI to stop collecting and using, without legal basis, the data of people in France and to delete those already collected.
The investigations carried out by the CNIL revealed several breaches of GDPR: unlawful processing of personal data (article 6 of GDPR) and the lack of satisfactory and effective consideration of the rights of individuals (articles 12, 15 and 17). It is also necessary to add the absence of cooperation with the services of the CNIL (article 31), the sanction having been pronounced following a formal notice which remained unanswered.
Data Protection Act sometimes invoked
Sometimes, it is a text other than GDPR as such that intervenes. This is the case of the Data Protection Act (Law No. 78-17 of January 6, 1978), invoked in the case concerning Apple Distribution International (FR), a company ordered to pay 8 million euros for not having obtained the consent of French iPhone users (iOS version 14.6) before depositing and/or writing identifiers used for advertising purposes on their devices.
CNIL services have indeed noted that under the old version 14.6 of the iPhone operating system, when a user went to the App Store, identifiers pursuing several purposes, in particular the personalization of advertisements distributed on the App Store, were automatically read on the device without obtaining consent.
To justify the fine, the CNIL noted a breach of article 82 of the Data Protection Act. In this procedure, the cooperation mechanism provided for by the GDPR (“one-stop shop” mechanism) was not intended to apply insofar as the operations related to the use of identifiers on French territory fall under the directive. “ePrivacy”, transposed in article 82 (FR) of the Data Protection Act.
Who receives the money when a financial penalty is pronounced by the CNIL?
The CNIL does not collect the amount of the fines, it is paid into the general budget of the State. A payment voucher is sent to the company concerned, which pays the fine directly to the Ministry of Economy and Finance. It should be noted that the fine must be paid by the body concerned even if it plans to appeal to the Council of State.