Companies slammed with a fresh wave of GDPR fines with Clearview still in EU’s data crosshairs

Clearview AI was hit with its largest GDPR fine yet from Dutch regulators

A slew of General Data Protection Regulation (GDPR) fines over the past month indicate that data protection authorities are continuing to clamp down on what they perceive to be violations of the data protection act.

Among them is the Netherlands’ data protection authority (AP) which fined Clearview AI €30.5 million for breaches of the GDPR. This fine was imposed after the AP says it confirmed that the company’s database has images of Dutch citizens.

This fine is significant in that it is larger than GDPR fines imposed on the company by data protection authorities in France, Italy, Greece and the UK over the past few years, back in 2022. Moreover, the AP warned that it could fine the company an additional €5.1 million for continued non-compliance. Clearview had failed to stop the GDPR violations after the AP concluded its investigation. The total fine could reach €35.6 million if Clearview AI continues to ignore the Netherlands regulator. Clearview has stated that it is not subject to GDPR because it doesn’t have a place of business in the Netherlands or the EU and doesn’t have any customers there.

The AP has also recently fined Uber €290 million for transferring employee data to the USA without adequate safeguards. This breach, spanning approximately two years, involved personal data of 172 Uber drivers from France, including location data and criminal records. The AP leads on GDPR oversight of Uber as the company has its main EU establishment in the country.

The GDPR allows for fines of up to 4% of global annual turnover to be levied for non-compliance. Uber’s revenue for 2023 was around €34.5 billion, making the fine well below that maximum. But it is still among the largest penalties levied on a tech company since the GDPR began operating back in 2018.

Other recent much smaller GDPR actions involve Uniqlo, which was fined €270K by the Spanish Data Protection Authority after a former service provider received their own payslips and those of 446 other employees. The fine was reduced from an initial €450K after Uniqlo took corrective actions. A Belgian telecommunications company was also fined €100K by the Belgian Data Protection Authority for failing to respond to a customer’s request for information and not communicating effectively with the customer regarding changes to their contract. The Danish Data Protection Authority fined the Municipality of Vejen almost €27K after unencrypted laptops containing sensitive data of students and teachers were stolen from a school.

As the fines increase and the authorities take increasing notice of violations, it’s important to learn what to do to avoid getting fined. Our 10 step guide to GDPR could help.

GDPR: 10 things to do now

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”