Companies in the Media, Telecoms and Broadcasting sector face data protection authorities' vigorous scrutiny yet again. As of today, fines in this sector amount to EUR 596 million, based on 177 fines across 18 jurisdictions (+ 476 million and + 70 fines in comparison to the 2021 ETR). Considering the aggregated fine amount of about EUR 1.6 billion across all sectors, the Media, Telecoms and Broadcasting sector contributes more than one third of all fines. It also features four fines in the overall top five fines, all of which were levied against internet giants at the end of 2021: The Irish Data Protection Commission levied the second largest fine (EUR 225 million) against WhatsApp for violation of the data transparency principle; the French CNIL levied the third (EUR 90 million against Google LLC), fourth (EUR 60 million against Facebook Ireland) and fifth (EUR 60 million against Google Ireland) largest fines for unlawful cookie practices.
But let's take a closer look
- The Irish Data Protection Commission (DPC) levied a fine of EUR 225 million against WhatsApp Ireland Ltd (ETid-820). This is the second largest fine ever levied for a data protection violation. In particular, WhatsApp violated their transparency obligations towards customers (Article 12, 13 and 14 GDPR), as they failed to provide users information on the data processing operations such as the data sharing with Facebook in an intelligible and easily accessible manner, including towards children. In addition, the fine is based on WhatsApp's unlawful practice of crawling users' contacts stored on their phones, which is not limited to active WhatsApp users, but also extends to contacts who do not even have a WhatsApp account. Notably from a procedural point of view, the European Data Protection Supervisor (EDPB) required the DPC to increase the fine on the basis of the violation of Article 5 (1) a) GDPR (transparency principle), in addition to the violation of Article 12-14 GDPR.
- Remarkably, only two recent and significant fines relate to insufficient technical and organisational measures: the Hellenic DPA issued fines based on a violation of Article 32 GDPR against Cosmote Mobile Telecommunications S.A. for the amount of EUR 6 million (ETid-1024) and for the amount of EUR 3.2 million against OTE Group (ETid-1025). In the case against Cosmote, a hacker attacked the company's systems and obtained customers' sensitive data, which were subsequently leaked. Nearly 10 million data subjects were affected by the incident. Above all, the DPA pointed out that Cosmote did not implement stringent data anonymisation standards. In the case against OTE Group, a Cosmote subsidiary, the DPA found that OTE contributed to Cosmote's insufficient security infrastructure which ultimately led to the above incident.