The General Data Protection Regulation (GDPR) is a regulation in the EU that controls how all personal data on EU citizens is collected and processed. The legislation covers various privacy aspects, from cookies to monitoring employees in the workplace.
Worth noting that if a company outside of the EU gathers data from users inside the EU, it must adhere to the GDPR. Those who fail to comply with the GDPR requirements receive hefty fines. An analysis by Atlas VPN reveals that GDPR fines hit a total of €97.29 million in the first half of 2022, an increase of 92% over H1 2021.
The data for the analysis is extracted from Enforcementtracker. Please note that not all penalties are made public. The chart below shows monthly GDPR fines for H1 2021 and H1 2022. Companies and individuals were charged a total of €50.6 million in GDPR penalties in H1 2021. On the other hand, legal cases slightly decreased from 215 in 2021 to 205 in 2022.
In other words, even though the number of GDPR violations slightly decreased in 2022, the severity of those violations was considerably worse. The most noticeable difference between 2021 and 2022 can be seen in February, where the total amount penalized differs by nearly €28 million.
On the other hand, there is a distinctive trend throughout both years – around 70% of fines happen throughout the first quarter. In June 2021, the State Commissioner for Data Protection (LfD) of Lower Saxony imposed a fine of €10.4 million on notebooksbilliger.de AG. The German company had monitored its employees by video for at least two years without any legal basis.
The inadmissible cameras recorded, among other things, workplaces, sales rooms, warehouses, and common areas. The company countered by stating that surveillance aimed to prevent and investigate crimes and track goods in warehouses.
However, video surveillance is only lawful when justified suspicion against specific individuals exists. If that is the case, it is allowed to monitor them with cameras for a particular period. Yet, in this case, the monitoring was not limited to specific employees or a time.
In May 2022, the Information Commissioner’s Office (ICO) fined Clearview AI Inc £7,552,800 for using images of people in the UK and elsewhere collected from the web and social media to create a global online database that could be used for facial recognition. Clearview AI Inc has collected more than 20 billion images of people’s faces and data from publicly available information. It did not inform any persons that their images were being collected or used this way.
In addition, the company effectively monitors the behaviour of those individuals and offers it as a commercial service. The GDPR was necessary because the old laws were written before the emergence of new technologies, like smartphones and tablets, which meant that users were not protected against enterprises abusing their personal information.
Luckily, the GDPR gave individuals more clarity on how and why businesses use their data. In addition, the GDPR also considerably limited the data businesses can collect, allowing individuals to browse the web and use services with much more privacy.