Three years of GDPR: the biggest fines so far

It's been three years since the introduction of Europe's data privacy and security law on 25 May 2018.

GDPR governs the way organisations that operate within the EU can use, process and store consumers' personal data.

At first smaller firms and start-ups feared they did not have adequate resources to fully comply with its rules.

Other critics suggested the legislation relied too much on consumers knowing and understanding their rights.

Since its launch, hundreds of millions of euros worth of fines have been handed out by information commissioners around Europe.

Offences have included retailers misrepresenting the way they use CCTV cameras to monitor employees, and companies not complying with the "right to be forgotten" law.

The legislation replaced older data protection laws, and while it was drafted in Europe, regulators can fine organisations anywhere in the world which target or collect data in the EU.

There are two tiers of penalties, with a maximum of 20m euros (£17.29m) or 4% of global revenue.

The money collected is used to fund public services. Here are the biggest fines recorded so far:

Google was one of the first companies to be hit by a substantial GDPR fine of €50m in 2019.

It was fined after a French regulator ruled that the company had failed to make its consumer data processing statements easily accessible to its users.

The tech giant was also found guilty of not seeking the consent of its users to harness their data for targeted advertising campaigns.

Google appealed, but France's higher court upheld the fine in June last year.

H&M was fined by German regulators in 2020 after it was found to have been secretly monitoring hundreds of its employees.

If workers took holiday or sick leave, they were required to attend a meeting with senior staff at the retail giant on their return.

These meetings were recorded, and made accessible to H&M managers without the knowledge of staff.

The data collected from the interviews was used to make a "detailed profile" of workers, which then influenced decisions concerning their employment.

In early 2020, the Italian data protection authorities issued a mammoth €27.8m fine to telecoms firm Tim, formerly known as Telecom Italia.

The fine was levied after a large number of complaints about unwanted promotional calls. Garante, the regulator, said it had received hundreds of complaints, external from January 2017 to early 2019.

It said customers were getting nuisance calls without having given their consent - even if they had registered their telephone numbers on Italy's "do not call" list or explicitly told callers they were revoking consent for such calls. One person was reportedly called 155 times in a single month.

The violations were several and serious, the regulator found, issuing the large fine and 20 "corrective measures" for the firm.

British Airways was fined in 2020 after users of its website were directed to a fraudulent site.

Through the data breach, hackers were able to harvest the personal data of about 400,000 people.

The leaked data included login and travel booking details, names, addresses and credit card information.

Initially, the Information Commissioner's Office (ICO) said it planned to fine BA £183.4m - which would have been the largest fine issued under GDPR.

But more than a year later, it dramatically lowered the fine, saying "the economic impact of Covid-19" had been taken into account.

It was still the highest fine issued by the ICO, which found that the hack was the result of British Airways' negligence.

BA said it had let customers know as soon as it became aware of the problem, had fully co-operated with the investigation, and that it had "made considerable improvements to the security of our systems since the attack".

British hotel chain Marriott International was fined in 2020 in relation to a hack dating back to 2014, but not uncovered until four years later.

The hack exposed the personal details of about 300 million customers including credit card information, passport numbers and dates of birth. Seven million of those guest records related to people in the UK.

Similar to the British Airways fine, the ICO initially said it planned to issue a much higher fine of £99m - but lowered the amount later.

In the UK, all penalties handed out by the ICO are paid into a central government fund which belongs to the Treasury.

The Consolidated Fund is the government's general bank account at the Bank of England.

It was established in 1787 with the purpose of being "one fund into which shall flow every stream of public revenue and from which shall come the supply of every service".

This means that just like tax revenue, GDPR fines are used to fund public services.

The majority of other countries in the EU use a similar structure.

Rob Elliss, from tech company Thales, says that despite success so far in handing out substantial fines, GDPR will face more challenges in a post-Covid world.

"When GDPR was first drafted, the legislation did not necessarily account for the adoption of new technologies and rapid migration to the cloud brought on by the pandemic," he said.

"In this remote working era, businesses needed to digitally transform almost overnight just to keep the lights on, without necessarily incorporating security in the design of new systems and processes."

Correction 25 May 2021: An earlier version of this story contained some inaccuracies including out-of-date information about the fines imposed on British Airways and Marriott International Hotels and listing Amazon among the top five companies fined. However Amazon was not fined in connection with GDPR, but under France's separate e-privacy directive and so we have updated these figures and replaced Amazon in the list with Tim .