Four years and €1.62 billion in GDPR fines later, are companies learning from their mistakes?
TL;DR it’s really hard to know.
Four years after the introduction of the GDPR in the EU, a lot has happened, specially in the last two years. We have arrived to a point where since May 2018, GDPR was responsible for on average ~23 fines a month, which represent more than one fine per business day. As for the numbers, we are at around €1.3M on average per fine, which make me believe the local agencies are not sleeping - and the pace of fines per day is only increasing.
As for the reasons for issuing the fines, let’s look at the list issued as a result of the GDPR enforcement:
Out of this very interesting list, let’s look more carefully to the top 3 that are alone responsible for + €1.3B in fines:
Insufficient legal basis for data processing: companies that didn’t had the right to use the data for other matters than initially predicted i.e. Vodafone Italy passed data to other companies in the group to be targeted by marketing campaigns
Non-compliance with general data processing principles: companies that collected data without authorization i.e. Clearview collected 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms all over the world to create an online database
Insufficient technical and organizational measures to ensure information security: this is self-explanatory e.g. British Airways
Now the question today is: how do we know that companies are learning from their mistakes? Have they implemented measures to prevent the same issues to happen again? Is our data going to be handled better because the companies were fined?
For the most part, there’s no easy way to confirm
The issue with the first two categories is that they result from problems we can’t easily evaluate from the outside. There are not a lot of ways to understand if a company is passing data to a sister company for marketing campaigns: we need the customer or an employee to file a complaint or to technically check if data is moving around (i.e. making requests to external services when not authorized). Same thing if a company is harvesting public photos of millions of people online.
There are three ways we can use to see if companies are making an effort to improve:
checking which technical measures were implemented after the fine
see who was fined more than once and
understand what is the overall trend in terms of number of fines
The only way is up
Let’s start with the easiest one: what is the trend of the GDPR decisions per month/year? The response is easy: upwards, particularly since the beginning of 2020:
The trend can be explained by the explosion of online commerce during the Covid-19 pandemic, which resulted in more transactions involving personal data and thus more reasons for customers to file complaints.
Conclusion: no reasons to believe companies are getting better.
The mailman always knocks twice
Another way to check if a company is making an effort to improve their Data Protection measures is to check if they were fined more than once. Below is a list of companies aggregated by the number of times they were fined:
If there are some companies / entities we couldn’t get information, we can definitely take some conclusions from the others:
The Spanish authorities fined Vodafone 53 times (!), Xfera Moviles 17 and Telefonica 12
Google was fined 7 times
Meta / Facebook / WhatsApp were fined 5 times
Because of the high activity of the Spanish authorities, we can say the table is somehow distorted, but if we see it as a whole, there are more than 70 companies fined more than once. This represents almost 10% of the total number of fined companies.
Conclusion: some, but not a lot of reasons to believe companies are getting better; some companies are definitely not learning.
One of the other main reasons for GDPR fines is the Insufficient technical and organizational measures to ensure information security. This issue can be caused by a number of factors, for example:
Programming bugs and/or configuration errors (e.g. unrestricted APIs)
Exploitation of vulnerabilities
Exploiting these vulnerabilities can cause incidents such as data breaches were the user data can then be used for fraud, sold in the Dark web, spam or phishing.
The British Airways case
An old classic of GDPR fines is British Airways. During the summer of 2018, over 400,000 British Airways customers had their personal information breached. The dataset included usernames, passwords, credit card details and other required flight information. This resulted in a 22M€ fine.
Caused by a modified script that was being called by the website, the attack allowed hackers to collect information submitted by travelers at one of the purchase forms.
A couple of ways BA could have avoided this breach, according to the ICO:
Limiting access to applications, data and tools to only that which are required to fulfill a user’s role
Undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems
Protecting employee and third party accounts with multi-factor authentication
Implement security headers such as SRI and CSP
If we can’t have a say on weather BA is analyzing the components being loaded by the website (there are many ways to do this, not all of them visible), we can take a look at the headers and see if the CSP and SRI headers are being implemented:
Knowing the compatibility of browsers with CSP and SRI is superior to 96% and a relatively straightforward task, one could argue their website could still fall under the “Insufficient technical and organizational measures to ensure information security” category.1
Conclusion: we assume companies fix the problem, BA might also have done it on the background, although it doesn’t look like it.
Thanks for reading Cybersecurity Tips! Subscribe for free to receive new posts and support my work.
Running after the damage
Back in 2018, I remember seeing GDPR as the time where the EU was going to make a difference and take the privacy of the European citizens seriously. Packed with good intentions, in four years the authorities managed to issue +1,200 fines, which is certainly positive.
Yet, after the first wave of silly cookie banners, companies learned to live with it and are now finding their way around the rules. The proof is that with the increase in online economic activity, also came more fines, sometimes for the same things, in the same country at the same company.
So are companies learning from their mistakes? It doesn't look like, no. They are still falling for the same mistakes of using personal data they aren't allowed to and failing to put in place proper technical measures.
The balance of power seems a bit off at the moment: there are more and more fines but the authorities appear to be running behind, never ahead. As the Noyb association says “The wider non-compliance spreads, the harder it will get for authorities to gain back control with limited resources.” - this is the situation we are today: companies learned they can get away with ignoring the majority of the rules and as the competitors are doing the same, things move forward until someone complains.
At least you now have someone who to address your complaints to.
There are business reasons such as compatibility with old browsers to don’t implement CSP headers