Cyberlands.io - API Penetration Testing

9 Biggest GDPR Fines for US Companies

Learn about the importance of GDPR and 9 big cases of US companies who've violated it
In the digital age of targeted ads, search history analysis, and multifactor authentication, the matter of data security becomes relevant as never before. Every day, we use different platforms and services on the Internet, enter our personal data including name, phone, address, email, bank credentials, etc, for performing our job, chatting on social media and purchasing products.

The unstoppable process of data sharing and use stimulated the governments from different countries to initiate laws that would control the overall process of collecting and use of personal information. Today we'll talk about one of the most confusing yet critical EU compliances that have already affected hundreds of thousands of US companies – GDPR or General Data Protection Regulation. This law concerns all the companies that use the private information of data subjects located in the European Union.

According to Finbold's statistics, the EU GDPR fines for 2021 Q3 hit €984.47 million – almost 20 times higher compared to Q1 and Q2, and around x3 times higher than across the entire 2020. The GDPR fine analysis indicates that the companies from the telecommunication and tech industries have suffered the most, but what about the American organizations? Let's now analyze the top 9 highest fines for the US companies issued by European GDPR.
#1 First EU's Data Protection Rules: The Twitter Hits €450,000 Fine for a Data Breach
In December 2020, Ireland's Data Protection Commission (DPC) issued a 450,000 (around $546,000) fine for Twitter's data breach disclosed in January 2019 – that's around 2% of the company's global annual revenue. The popular social media platform was found to have violated the EU's General Data Protection Regulation (GDPR) as it did not inform the regulator about the data breach within 72 hours after its discovery.

This fine is notable as that's the first case when a US tech giant has been hit with a GDPR fine in a cross-border point, which means the Irish regulator has conferred with the EU partners before taking the final decision. But, this has also become a subject for discussion: the cross-border process took lots of time before issuing the fine, which has resulted in the criticism of GDPR's efficiency.
#2 Uber Fined Over €1 Million by EU Data Protection Authorities
On November 27, 2018, the world's largest mobility service provider was hit with fines from the UK and Dutch data protection authorities for around $1.2 million due to the large-scale data breach in 2016. According to the sources, this breach has affected more than 57 million Uber users.

The grounds for the fine issuing is the company's failure to take the appropriate measures to secure the clients and customers' personal data (according to the UK Information Commissioner's Office), while the Dutch regulators fined the company for not informing about the data breach within 72 hours after it was uncovered.

Due to the fact that the breach occurred before the EU General Data Protection Regulation ("GDPR") adoption, both fines come issued under the UK and Dutch laws. Nevertheless, they have provided lots of different insights about the further expectations of governments regarding personal data protection.
#3 Grindr Faces €10.3 Million Data Privacy Fine
In January 2021, one of the most famous social networking and dating applications for gay, bisexual and trans people have been issued a huge fine in Norway for the reason of a data privacy breach. The illegal user data disclosing takes back to the early period of the app launching in 2009, when Grindr had different privacy policies and practices in place, and later was noticed for leaking the customer data to advertising firms. The personal data transferred to third parties included the user profile data, GPS location, and even the fact of the actual presence of a user on Grindr – all these were unlawfully utilized for marketing purposes on Twitter, Xandr, OpenX Software, AdColony, and Smaato.

According to the official resources, this GDPR penalty of $11.7 million corresponds to nearly 10% of Grindr's estimated global annual revenue. As for the company's partners, the Norwegian Consumer Council has also filed complaints against the third parties listed above, that were receiving the data from Grindr. These cases are still pending.
#4 Affected Around 339 Million Guests: Marriott Hotels Fined Above €21.6 Million for the Large-Scale Data Breach
As a result of the large-scale data breach that may have affected up to 340 million guests, The UK's data privacy watchdog has fined the Marriott Hotels chain £18.4 million.

The first breach occurred in early 2014, affecting the ex-group of Starwood Hotels chain, which was acquired by Marriott 2 years later. The hackers have had access to all the affected systems which stored large amounts of clients' private data, including names, emails, phone numbers, passport details, and more right until 2018 when the problem was discovered. One of the largest hotel chains seems not to check the hospitality units before the purchase, which affected millions of people all over the world.

Due to these arguments, Marriott was accused of failing to protect the private data as required according to the General Data Protection Regulation (GDPR). In its official statement, the hotel corporation wrote it "deeply regrets the incident" and "continues to make significant investments in security measures for its systems."
#5 US Facial Recognition Firm Faced €20 Million Fine for 'Serious Breaches'
A US company Clearview AI is accused of downloading personal images from social media sites for developing the facial recognition technology without people's knowledge and faced a fine of £17 million after this was uncovered by the Information Commissioner's Office (ICO).

"The world's largest facial network", as the Clearview AI describes itself, allowed their users to compare the facial data against the large image database with over 10 billion photos uploaded from plenty of Internet sources. According to the ISO data regulator's statements, this data "may have been gathered without people's knowledge from publicly available information online, including social media platforms". Moreover, the company has failed to meet the higher data protection standards required for biometric data and didn't notify people their data has been actually used.
#6 Facebook Privacy Fine: Irish Regulator Proposed €36 Million for the Privacy Breach
The social media giant by Meta company, Facebook, has been fined by Ireland's Data Protection Commission (DPC) in October 2021. The Irish commission, the lead regulator of Facebook and lots of other technology companies under the "One Stop Shop" data regime, has proposed a fine of €28 million to €36 million for Facebook's failure to provide the transparent data of the lawfulness of personal data processing, specifically around its terms of service.

The DPS spokesmen said the commission had sent the draft decision to other EU supervisory authorities and had no further comments about the process details.
#7 CNIL's Restricted Committee Imposed a Financial Penalty of €50 Million Against Google LLC
In May 2018, the National Data Protection Commission (CNIL) was notified about the complaints from the None Of Your Business (NOYB) and La Quadrature du Net ("LQDN") associations. They accuse the Google company of not having a valid legal basis to use the personal data of its users, particularly for the ads' personalization aims.

After the detailed investigation, the CNIL has uncovered two major breaches of the GDPR:

  • A violation of the obligations of transparency and information, as the information provided by Google, is excessively disseminated across multiple documents, which makes it more challenging to access it for a user. Additionally, users cannot fully find out the process of their data processing, and some data does not provide the extension period details.
  • A violation of the obligation to have a legal basis for ads personalization processing, as the committee considers the users' permissions are not valid due to the lack of information in the user's consent.

With this said, the CNIL restricted committee publicly has issued a fine of €50 euros to Google company.
#8 WhatsApp Faced Second Largest GDPR Fine of €225 Million
In September 2021, the WhatsApp company was issued the largest fine ever from the Irish Data Protection Commission, which, at the time of writing, is the second-highest under EU GDPR rules. The fine was related to the investigation started in 2018, and was related to the WhatsApp transparency issues regarding the data storage and transfer processes. Moreover, due to the frequent policy updates, the commission was to investigate the technical problems, like whether the company supplied enough information to the app users about how their data is processed, as well as ensure the privacy policies were clear enough.

The company's spokesman claimed that "WhatsApp is committed to providing a secure and private service". According to the official sources, the company disagrees with the DPR decision and considers the penalties were entirely disproportionate.
#9 Amazon.com Appealed a Record €746 Million Penalty for Violating the GDPR
In October 2021, the spokesman of Luxembourg Administrative Tribunal Henri Eippens has confirmed that Amazon's appeal for the record GDPR fine of €746 Million ($865 million) is currently pending.

This appeal is a response to July's fine issued by CNPD, Luxembourg's data protection regulator. According to the sources, the U.S. tech giant has violated the bloc's General Data Protection Regulation, which was triggered by a 2018 complaint from French privacy rights group La Quadrature du Net.

The company has claimed they collect customer and client data to work at the improvements of the customer experience, and has also set specific guidelines governing how employees have to process and use it. However, some experts and regulators have raised concerns Amazon has used this data to gain an unfair advantage in the marketplace.

Currently, the inspections and probes of the company's sales services are conducted in several EU countries including Germany and France, and similar issues checking are examined in the U.K.
Wrapping Up
Having reviewed the cases of the most high-profiled EU GDPR fines for the American companies, it becomes much easier to understand what aspects are critical to comply with these regulations. Additionally, analyzing the infamous experience of the world's largest organizations can help to detect the weak points and possible mistakes in your company's workflow that require further improvement.

Finally, being aware of the other company's cases can help your business to avoid facing similar issues in the future!
Cyberlands.io Team