Marriott International encountered a London class action from millions of its former guests claiming compensation after their personal information was compromised in a massive data breach between 2014 and 2018. However, this was not the first time for the popular hospitality firm to face a lawsuit. In July 2019, the U.K.’s Information Commissioner’s Office (ICO) imposed a £99.2 million (US$123.7 million) fine on Marriott failing to protect its customers’ information and violating the EU’s General Data Protection Regulation (GDPR) regulations.
By Rudra Srinivas, Feature Writer, CISO MAG
As per the GDPR guidelines, organizations are accountable for the customers’ personal data they hold. Ever since the GDPR was launched (on May 25, 2018), the data regulators have churned out high penalties from organizations for data breaches and misuse of customer information.
The year 2019 had already seen several organizations slammed with sizable fines and settlements for security incidents. Here is a glimpse at the organizations that suffered the biggest GDPR fines in 2020 so far:
In January 2019, Google was fined 50 million euros (around US$57 million) by the French data regulator CNIL (National Data Protection Commission) for violating the GDPR norms. The fine was levied for Google’s limited information, lack of transparency, and valid consent from its users regarding ads personalization.
Google’s fine is from the last year, and the search engine giant challenged the verdict. In June 2020, the Council of State in France rejected the appeal and upheld the penalty.
Google also agreed to pay $7.5 million in a settlement to resolve a class-action lawsuit filed with the U.S. District Court Judge Edward Davila in San Jose for exposing the private data of around 500,000 former Google+ users to third-party developers.
In January 2020, the Italian Data Protection Authority (Garante) imposed a €27.8 million (US$31.5 million) fine on telecommunications operator TIM for violation of the GDPR guidelines. The company got sued for its unauthorized data processing activities, aggressive marketing strategy, data breaches, and illegal collection of consents. Millions of users were flooded with promotional calls and unsolicited communications, including non-customers and members in exclusion lists.
3. Wind Tre S.p.A.
In July 2020, Garante fined over €16.7 million (US$ 21.8675 million) on Wind Tre, a mobile telecoms operator, for using customers’ personal data without their consent. The company was also accused of aggressive direct marketing techniques that violated the GDPR regulations.
4. Unknown Firm in Netherlands
In April 2020, the Dutch Data Protection Authority imposed its largest fine €725,000 (US$ 821,600 million) to date to an unknown company for illegally using employees’ fingerprint scans for its attendance records over the period of 10 months. As per the GDPR, biometric data is classified as sensitive information and subjected to stringent protections.
These GDPR fines should act as an eye-opener to other organizations that are not abiding by the data security policies. Apart from financial implications, a GDPR fine could also affect the organization’s image and even lead to permanent loss of customers. Therefore, it is worthwhile for organizations to consider the legal requirements of the GDPR.
About the Author