In the industry and commerce sector, DPAs from 26 different countries have so far imposed 455 fines (+83 in comparison to the 2023 ETR) on a variety of different enterprises including very large online platforms, utility companies, database operators, grocery store chains and food-delivery services, with a total fine volume of EUR 897 million (+40 million in comparison to the 2023 ETR).
Measured by the number of registered cases and the average fines imposed, companies in the industry and commerce sector remain highly affected by the imposition of GDPR fines. The sector is highly influenced by the second highest fine ever imposed under GDPR (EUR 746 million against Amazon in 2021) and the most registered cases amongst all sectors (456). While the number of fines kept rising considerably in 2023 (+83), the increase of the total fine volume to now EUR 897 million mainly resulted from one French case against Amazon France Logistique. The average fine amount decreased compared to the 2023 ETR from EUR 2.39 million to approximately EUR 2 million now.
Most companies in this sector were fined due to an insufficient legal basis for data processing (109), insufficient fulfilment of information obligations (96) and non-compliance with general data protection principles (80). The Spanish DPA (aepd) remains by far the most active DPA imposing more than 40% of all fines in this sector (190), followed by the authorities of Italy (Garante: 66) and Romania (ANSPDCP: 55).
Let's take a closer look
- The highest fine in the industry and commerce sector in 2023 was imposed by the French Data Protection Authority (CNIL) against Amazon France Logistique (AFL – ETid-2192). The amount of EUR 32 million was imposed mainly for unlawful surveillance of employees. The CNIL found that AFL equips its warehouse employees with a scanner to document certain tasks. Each scan records data that is stored and can be used to calculate a series of indicators providing information on the productivity of each employee. The CNIL considered a system that measures interruptions in activity with precision and potentially forces the employee to justify each break or interruption to be unlawful. The CNIL also found a breach of the information and transparency obligation under the GDPR, as employees and external visitors were not adequately informed about the surveillance systems. Finally, the CNIL found that the video surveillance software was not sufficiently secured.
- Following a series of significant fines against the same company in 2022, the CNIL imposed another fine of EUR 5.2 million against Clearview AI (ETid-1839). The CNIL had imposed a fine of EUR 20 million on the company in 2022 for unlawfully collecting personal data. In addition to the fine, the CNIL ordered the company to make its processing of personal data compliant with data protection laws within two months. However, the company did not provide evidence of compliance within this period and was thus sanctioned with another significant fine. Clearview AI operates a database of more than 20 billion facial images from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals to be identified based on the biometric data extracted from the images. Individuals’ profiles can be enriched with information associated with those images, such as image tags and geolocation.
- Although there have been a few seven- and even one eight figure fines in 2023, the standout fine and the second highest GDPR fine amongst all sectors is the EUR 746 million penalty imposed on Amazon Europe Core S.a.r.l. by the Luxembourg DPA (CNPD) in 2021 (ETid-778).
Main takeaways
In particular, non-compliance with general data protection principles and insufficient legal basis for data processing resulted in severe fines for companies in the industry and commerce sector. Violations of the controller’s information obligations towards data subjects were also closely investigated by DPAs. The two highest fines in this sector were both imposed against companies of the Amazon group – these two sanctions alone make up more than 85% of the total fine volume in this sector (EUR 778 million). The additional seven digit fine against Clearview AI imposed by the French authority shows that not only initial violations but also non-compliance in the implementation phase following supervisory investigations can lead to significant fines. Especially the Spanish, Romanian and Italian DPAs continue to be very active and willing to investigate GDPR violations of all kinds.
Read more:
- Numbers and figures
- Enforcement Insights per country
- Enforcement Insights by business sector:
- Methodology and contacts
- Enforcement Tracker
