Warning for property as GDPR breaches rise
H&M and Amazon accounted for almost a quarter of data protection and e-privacy fines in Europe last year, as the total amount of penalties issued in 2020 across the region topped €300m.
H&M was fined €35.3m in October by the Hamburg data protection authority for collecting private information from employees. Amazon Europe Core was fined €35m in December by the French data regulator CNIL for placing advertising cookies on users’ computers “without obtaining prior consent and without providing adequate information.”
While the H&M fine was issued due to a breach of GDPR – and is the second largest fine issued under GDPR to date – Amazon was fined under the French Data Protection Act’s e-privacy laws, which regulate electronic communication that includes non-personal data.
The figures come from an online tracker by finance publication Finbold.com, which has so far tracked €306.3m of data protection fines issued in Europe last year.
Data protection and its regulation is growing in importance within property, with high-profile cases such as those of H&M and Amazon highlighting the risks of alleged non-compliance.
Dan Hughes, founder of consultancy Alpha Property Insight, said: “The implications of GDPR and other regulations are well known, but whilst most will have considered this from a business perspective, not enough are considering the data being collected in buildings or that of their supply chain.
“Fines in this space can be significant, but I would argue that this is only the tip of the iceberg: moving forward, just managing data legally will not be enough as we need to consider data ethics, whether we should be collecting and using data. Real estate can learn a lot from other sectors where not only are there legal issues today, but also reputational ones.”
Under GDPR itself, regulators have issued €272.5m of fines since it came into force in May 2018, according to a new report by DLA Piper. More than half of those fines, 58% or €158.5m, have been issued since 28 January 2020.
Since then, there have also been 121,165 breaches, up 19% on the year before.
But while the number of fines has increased, the report highlights that there have been cases of “significant climbdowns” by regulators. In the UK, for example, the Information Commissioner’s Office’s published an intent to impose fines on British Airways and Marriott International totalling £282m, but these were later reduced to £22m and £20.5m, respectively.
Ewa Kurowska-Tober, global co-chair of DLA Piper’s data protection and security group, said: “Regulators have been testing the limits of their powers this year issuing fines for a wide variety of infringements of Europe’s tough data protection laws. But they certainly haven’t had things all their own way with some notable successful appeals and large reductions in proposed fines.
“Given the large sums involved and the risk of follow-on claims for compensation we expect to see the trend of more appeals and more robust defences of enforcement action continue.”