Home / Legal Publications / GDPR Enforcement Tracker Report / Media, Telecoms and Broadcasting

Media, Telecoms & Broadcasting

   

Companies in the media, telecommunications and broadcasting sectors continue to be strictly controlled by data protection authorities. To date, fines in this sector amount to EUR 1.7 billion, based on 218 fines in 19 countries (+ EUR 1.1 billion and + 41 fines compared to the ETR 2022). Considering the total amount of fines of around EUR 2.77 billion for all sectors of the economy, the media, telecommunications and broadcasting sector accounts for almost two thirds of all fines. This sector has the highest number of fines, which is partly due to the fact that the turnover of the fined companies is among the highest. Fines against Meta remain an ongoing topic. Examples include the fines imposed by the Irish DPA (DPC) on Meta Platforms Ireland Limited of EUR 265 million, of EUR 390 million and of EUR 405 million. It is also worth mentioning the fine of EUR 10 million against Google LLC imposed by the Spanish DPA (AEPD).

Let's take a closer look


  • The Irish DPA fined Meta Platforms Ireland Limited EUR 265 million because of the publication of user data (ETid-1502). The starting point for the imposition was the publication of personal data, such as names, telephone numbers and email addresses, of up to 533 million users from over 100 countries in a hacker forum. The hackers took advantage of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features. The DPA concluded that Meta had violated Art. 25 (1), (2) GDPR with regard to the above-mentioned functions. According to Art. 25 GDPR, the principles of data protection law must already be taken into account in the design of data processing systems and processes.
  • A further fine of EUR 390 million was imposed on Meta by the Irish DPA for the unlawful use of user data on the Facebook and Instagram platforms (ETid-1543). In addition to the fine, Meta was also directed to remedy the offending processing activities within three months. Shortly before 25 May 2018, Meta had amended the terms of use applicable to Facebook and Instagram to the effect that, instead of the consent of the users, a contract between Meta and the platform users would be used as the legal basis for the data processing taking place. In Meta's view, personalised, behavioural advertising was also legitimised by the user contract. The DPA considered this legitimisation of Meta to be lawful in principle and therefore originally intended to impose a significantly lower fine, only on the grounds of transparency violations. However, in the course of the supervisory consultation procedure, this decision was withdrawn and the Irish DPA was obliged to also assess the legitimisation of the advertising data processing on the basis of the contract as unlawful. As a result, the fine also had to be increased.
  • The third decisive fine against Meta, amounting to EUR 405 million, was imposed by the Irish DPA because minors' Instagram business accounts publicly displayed their mobile phone numbers and email addresses (ETid-1373). In addition, the settings for the underage users' accounts were set to "public" by default, making their social media content publicly viewable unless they changed the account settings. This breach affected millions of minors.
  • The Spanish DPA fined Google LLC EUR 10 million (ETid-1176). Two data subjects complained to the DPA that Google had disclosed their personal data to third parties without their consent. In the course of its investigation, the DPA found that Google provided copies of its users' deletion requests to Harvard University's Lumen Project, which collects requests to remove content from websites inside and outside the US and makes them available on its website. Although the data subjects were informed by Google of the transfer to Lumen as part of the complaint form, they were not given the opportunity to object. In this context, the DPA also found that Google did not sufficiently enable data subjects to exercise their right to erasure of their data. The amount of the fine is composed of EUR 5 million for infringement of Art. 6 GDPR and EUR 5 million for an infringement of Art. 17 GDPR.

Main takeaways

The most common reason for fines in the media, telecoms and broadcasting sectors remains insufficient legal basis for data processing operations. All data processing operations must have a sufficient legal basis according to Art. 6 GDPR. Moreover, fines against Meta remain a recurring topic. Such cases also demonstrate that the consultation procedure set out in the GDPR has an important function, particularly in relation to the enforcement of the GDPR in Ireland. Without the relevant consultation and the final decision of the European Data Protection Board, the case at hand would have been decided and sanctioned in a fundamentally different way. In addition, care must be taken to ensure that all transfers to third parties are subject to data protection law.