First GDPR Penalties Levied By Year’s End, EU Privacy Boss Says
Organizations violating the General Data Protection Regulation’s (GDPR) privacy rules will be hit with fines, warnings or temporary bans by the end of 2018, the European Union’s privacy boss said earlier this week.
“I expect [the] first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum,” European Data Protection Supervisor Giovanni Buttarelli told Reuters.
The penalties will be imposed both on companies and public entities and extend across EU member countries, he said. Citing ongoing investigations, Buttarelli refused to name any organizations as early transgressors, the report said. It’s possible that giants British Airways and Facebook could be among the culprits (see below). An organization running afoul of the GDPR’s mandates is subject to the higher figure of four percent of global sales or $23 million (20 million euros).
“The fine is relevant for the company and important for the public opinion, for consumer trust. But from an administrative viewpoint, this is just one element of the global enforcement,” Buttarelli reportedly said.
Facebook could be hit with billion in fines if the EU dings the company for failing to adequately protect data in a recent breach of more than 50 million accounts in the largest known security breach in the company’s history. In that instance, an as-yet unidentified hacker exploited a technical vulnerability in Facebook’s code that impacted its ‘View As’ feature that lets people to see how their profile is viewed by others. The hackers subsequently stole the login tokens (digital keys) of some 50 million people and potentially gained command over their accounts.
Last year, U.K. regulators tagged Facebook with the maximum allowable penalty of $650,000 under earlier data protection laws over its unauthorized sharing with Cambridge Analytica of personal data on millions of its users. In that case, had Facebook been fined under the GDPR the penalty could have been $1.6 billion.
British Airways (BA) might also be fined under the GDPR owing to a security break in late August and September when hackers dipped into the airline’s database to hijack account numbers and personal information of customers booking travel online. BA could be penalized up to $650 million under the GDPR’s rules.
Earlier this year, the U.K.’s Information Commissioner’s Office, a regulatory watchdog, said that in the six weeks from May 25 — when the GDPR took effect — to July 3, some 6,300 documented grievances were filed by U.K. individuals and companies claiming their personal data has been accessed without permission. That’s more than 2.5 times the number recorded in the same period last year. Roughly 10 percent of the complaints are linked to financial services, with others coming from the education, health and local government sectors.