GDPR fines double to nearly €100m in first half of 2022

The UK Information Commissioner’s Office might be using GDPR fines as a last resort but its counterparts in the EU appear to be dishing them out like hot cakes, with penalties totalling €97.29m in the first half of 2022, an increase of 92% over H1 2021.

An analysis by Atlas VPN, from Enforcementtracker, reveals even though the number of GDPR violations slightly decreased in 2022, the severity of those violations was considerably worse.

In fact, there were 215 cases in 2021 resulting in €50.6m in GDPR penalties and 205 in H1 2022 with €97.29m in fines.

The most noticeable difference between 2021 and 2022 was seen in February, where the total amount penalised differs by nearly €28m.

On the other hand, there is a distinctive trend throughout both years – around 70% of fines are issued in the first quarter.

Two cases of note include a €10.4m penalty issued in June 2021 to n notebooksbilliger.de AG by the State Commissioner for Data Protection (LfD) of Lower Saxony. The German company had monitored its employees by video for at least two years without any legal basis.

The inadmissible cameras recorded, among other things, workplaces, sales rooms, warehouses, and common areas. The company argued that the surveillance aimed to prevent and investigate crimes and track goods in warehouses.

However, video surveillance is only lawful when justified suspicion against specific individuals exists. If that is the case, it is allowed to monitor them with cameras for a particular period. Yet, in this case, the monitoring was not limited to specific employees or a time.

Meanwhile, in May 2022, the ICO fined Clearview AI Inc £7,552,800 for using images of people in the UK and elsewhere collected from the web and social media to create a global online database that could be used for facial recognition.

Clearview AI Inc has collected more than 20 billion images of people’s faces and data from publicly available information. It did not inform any persons that their images were being collected or used this way.

In addition, the company effectively monitors the behavior of those individuals and offers it as a commercial service.

At the time, UK Information Commissioner John Edwards said: “People expect that their personal information will be respected, regardless of where in the world their data is being used. That is why global companies need international enforcement. Working with colleagues around the world helped us take this action and protect people from such intrusive activity.”