Home / Publications / GDPR Enforcement Tracker Report / Media, Telecoms and Broadcasting
Table of contents
  1. Executive Summary
  2. Numbers and Figures
  3. Enforcement Insights by Business Sector
  4. Enforcement Insights per Country
  5. Finance, Insurance and Consulting
  6. Accommodation and Hospitality
  7. Health Care
  8. Industry and Commerce
  9. Real Estate
  10. Media, Telecoms and Broadcasting
  11. Public Sector and Education
  12. Transportation and Energy
  13. Individuals and Private Associations
  14. Employment
  15. Methodology and Contacts
  16. Austria
  17. Bulgaria
  18. Belgium
  19. Croatia
  20. Czech Republic
  21. France
  22. Germany
  23. Hungary
  24. Italy
  25. Luxembourg
  26. Netherlands
  27. Norway
  28. Poland
  29. Spain
  30. Sweden
  31. United Kingdom

Media, Telecoms & Broadcasting

   

The supervisory authorities continue to keep a close eye on companies in the media, telecommunications and broadcasting sector. To date, fines in this sector amount to EUR 3.3 billion, based on 288 fines in 21 countries (+ EUR 1.6 billion and + 70 fines compared to the ETR 2023). Considering the total amount of fines of around EUR 4.5 billion for all sectors of the economy, the media, telecommunications and broadcasting sector accounts for almost three quarters of all fines. This is partly due to the fact that the turnover of the fined companies is very high.

In 2023, the highest fine ever imposed since the GDPR came into force was imposed on Meta Platforms Ireland Limited. It is worth noting, however, that the main fines imposed in the media, telecommunications and broadcasting sector between March 2023 and March 2024 were spread across more different companies than in some previous years, rather than being only attributable to the same few players. The top 5 fines include two fines against TikTok, both relating to the processing of children's data.

Let's take a closer look


  • The Irish DPA (DPC) fined Meta Platforms Ireland Limited with a record fine of EUR 1.2 billion in May 2023, finding that the company violated the regulations on international data transfers (ETid-1844). The decision was issued following the "Schrems II" decision of the ECJ, in which the EU-US privacy shield was declared invalid on the grounds that the level of data protection in the US is not essentially equivalent to that in the EU. Meta thereafter based the transfer of personal data on the standard contractual clauses and additional supplementary measures; however, the DPC found that these did not overcome the risks to the fundamental rights and freedoms of the data subjects identified by the ECJ, and that the transfers therefore violated the GDPR. After objections raised by other supervisory authorities against the DPC's originally planned decision in the cooperation procedure set out in the GDPR, the EDPB ordered the DPC to impose an administrative fine. Consequently, the DPC imposed the aforementioned fine, ordered Meta to stop the data transfer of personal data to the US within five months, and to cease the unlawful processing, including the storing of data already transferred, in the US within six months.
  • The Irish DPC imposed a fine of EUR 345 million on TikTok Technology Limited due to the violation of general data protection principles and the lack of appropriate technical and organizational measures (ETid-2032). The DPC found that, in the investigation period from July to December 2020, the profiles of child users were public by default; that the "Family Pairing" feature, which allowed adult users to link their accounts and exercise certain controls over the accounts of underage users, posed a risk; that TikTok failed to provide child users with information about the categories of recipients of their personal data and clear, understandable information on the scope and implications of data processing; and that TikTok nudged child users to opt for less privacy-friendly options during registration and when posting videos on the platform. In addition to the fine, the DPC issued an order requiring TikTok to bring its processing activities in line with the GDPR within three months.
  • The French DPA (CNIL) fined online-marketing company Criteo EUR 40 million due to various violations of the GDPR (ETid-1912). In order to display personalised advertising on the Internet, Criteo uses a cookie that is set when certain Criteo partner sites are visited, and which collects data on the browsing behaviour of an Internet user. This data is used to analyse for which advertiser and for which product an advertisement is preferably displayed to a particular Internet user. It then participates in a real-time bidding process and displays the personalised ad if the auction is won. Although the company does not know the name of a user, the CNIL considered that the data was sufficient to allow the re-identification of individuals in some cases. In its investigations, the CNIL found that Criteo was unable to prove that users had given their consent to the processing of their data by the Criteo cookie and did not ensure that its partners obtained such consent by means of appropriate contractual provisions; that its privacy policy was partly incomplete with regard to the purposes pursued with the data processing, and partly too vague; that the rights of data subjects were not fully respected in accordance with the requirements of the GDPR; and that the agreement for joint controllers between Criteo and its partners was incomplete.
  • The UK DPA (ICO) also imposed a fine on TikTok Information Technologies UK Limited and TikTok Inc in the amount of EUR 14.5 million for the unlawful processing of children's data and violation of transparency requirements (ETid-1730). The ICO estimated that up to 1.4 million British children under the age of 13 were using the platform in 2020 in breach of TikTok´s terms of use and their personal data were processed without parental consent. According to the ICO, TikTok did not take sufficient measures to identify and remove children under 13 from the platform. In addition, the ICO found that the platform did not provide sufficient information about the processing of personal data of its users, leaving users, in particular underage users, unable to make informed decisions about whether and how to interact with the platform.

Main takeaways

It can be observed that the supervisory authorities are imposing increasingly higher fines; although the number of fines imposed in the sector has only increased by 32 percent compared to the ETR 2023, the total amount of fines imposed is much higher, showing an increase by 94 percent. The most common reason for fines in the media, telecoms and broadcasting sectors remains insufficient legal basis for data processing operations, followed by non-compliance with general data protection principles.

The Spanish supervisory authority was the most active in imposing fines. With regard to the record fine against Meta, it is striking that this was only imposed by the DPC after a binding decision by the European Data Protection Board (EDPB), as has already been the case with other major fines imposed by the DPC in recent years. This shows that the consistency mechanism and the dispute resolution procedure set out in the GDPR is still of great importance, particularly in relation to the enforcement of the GDPR in Ireland.

Read more:


Author

Lisa Hondl
Senior Associate
Rechtsanwältin
Berlin
Previous 11 / 32 Next