GDPR buses reach nearly €100 million in first half of 2022
The General Data Protection Regulation (GDPR) regulates in the EU how personal data of EU citizens may be handled. Violations of this regulation are punished with heavy fines. In the first half of 2022, such GDPR fines were issued in the amount of almost 100 million euros.
An analysis of Atlas VPN shows that GDPR fines total €97.29 million in the first half of 2022, an increase of 92 % compared to the first half of 2021. The data for the analysis comes from Enforcementtracker, a platform that provides an overview of fines and penalties imposed by data protection authorities within the EU under the EU General Data Protection Regulation (GDPR, DSGVO).
Atlas VPN's overview and analysis shows that companies and individuals were charged a total of €50.6 million in GDPR fines in the first half of 2021. On the other hand, the number of court cases decreased slightly, from 215 in 2021 to 205 in 2022. In other words, even though the number of GDPR violations decreased slightly in 2022, the severity of those violations was significantly greater - and so was the amount of GDPR fines. The most striking difference between 2021 and 2022 can be observed in February, where the total amount of fines imposed differs by almost 28 million euros. The following trend is also striking: around 70 % of GDPR fines are imposed in the first quarter.
A few particularly blatant cases
Atlas VPN also points to a couple of significant cases of GDPR fines issued in the first half of 2021 and 2022. For example, in June 2021, the Data Protection Commissioner of Lower Saxony fined notebooksbilliger.de AG €10.4 million. The German company had video-monitored its employees for at least two years without any legal basis. The unauthorized cameras recorded workplaces, sales rooms, warehouses and common areas, among other things. The company countered that the surveillance served to prevent and solve crimes and to track goods in warehouses. However, video surveillance is only lawful if there is reasonable suspicion against certain persons. If this is the case, it is permitted to monitor them with cameras for a certain period of time. In this case, however, the surveillance was not limited to specific employees or a specific period of time.
In turn, in May 2022, the Information Commissioner's Office (ICO) fined Clearview AI Inc. £7,552,800 for using images of people in the UK and elsewhere collected from the internet and social media to build a global online database that could be used for facial recognition. Clearview AI Inc. has collected more than 20 billion images of human faces and data from publicly available information. The company has not informed anyone that its images have been collected or used in this way. Furthermore, the company actually monitors the behavior of these individuals and offers this as a commercial service.
GDPR buses as "wake-up calls
The General Data Protection Regulation was necessary because the old laws were written before the advent of new technologies like smartphones and tablets, which meant that users were not protected from companies misusing their personal data. The GDPR provides EU citizens with more clarity on how and why companies use their data. In addition, the GDPR significantly limited the data that companies can collect, allowing citizens to browse the internet and use services with much more privacy. In Switzerland, the new Data Protection Act (NDSG) will move in a similar direction. This is scheduled to come into force on September 1, 2023; Companies would do well to prepare themselves for this already today.
