Beyond question – non-compliance is one of the biggest nightmares for multinationals. While several organizations have been trying to dance to the tune of legal authorities across the globe, there are companies that bite the dust when it comes to global compliance. The result – they not only end up creating a scar on their reputation but also face a heavy financial loss.
Here’s a list of six companies which had to pay the biggest fines recorded on account of their non-compliance to global rules and policies.
1. € 50 million on Google
On January 21, 2019, the National Data Protection Commission’s (CNIL) restricted committee enforced a financial fine of € 50 million against Google LLC as per the GDPR. The reasons cited were lack of transparency, inadequacy in information, and absence of valid consent with respect to ad personalization. CNIL acted upon the two complaints received from None Of Your Business (NOYB) and La Quadrature du Net (LQDN) on May 28, 2018, accusing Google of not having a valid legal rationale to process personal data of people who use its services.
On further investigations into the issues stated, CNIL, responsible for examining the Data Protection Act’s breaches, was able to identify two types of GDPR breaches. This consequently resulted in a heavy fine for Google.
2. € 35.3 million on H&M
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has levied a massive fine of € 35,258,707.95 on H&M (Hennes and Mauritz) online shop AB & Co. The company, based out of Hamburg, Germany, has a service center running in Nuremberg. The complaint was that the service center’s several hundred employees had been constantly monitored by the center management. Investigation shone a light on extensive records of the private living conditions of employees.
From employees’ vacation experience to their symptoms of illness and diagnosis methods when they were under the weather, loads of data that date back to 2014 have been stored in network drives for performance evaluation purposes. The HmbBfDI found this to be a serious breach of data protection and privacy violation, ending up with a heavy fine on the company.
3. € 27.8 million on TIM
On January 15, 2020, the Italian Data Protection Authority – Garante Per La Protezione Dei Dati Personali issued a whopping 27,800,000 euros fine on Italian telecom company TIM, owing to its GDPR violation. The authority found TIM to follow unlawful data processing methods and non-compliant aggressive marketing strategies; the company also exhibited an invalid collection of consents and an over-the-top data retention period. The investigation began as a result of several complaints against the aggressive promotional campaigns/calls without proper consent despite the contacted individuals being in the public do-not-call registry.
4. £ 20 million on British Airways
On October 16, 2020, Information Commissioner’s Office (ICO) fined British Airways £ 20 million for the company’s inability to protect the personal and financial details of 400,000+ customers. Investigation revealed that the airline was handling loads of personal data without proper safety measures in place. This was one of the main reasons why the company fell prey to the cyber-attack of 2018 that went undetected for two months. This attack could have been dodged if only the organization had enabled role-based access to applications and data, multi-factor authentication, and rigorous testing.
5. € 18.4 million on Marriot International Inc.
On account of the infringement of GDPR, the Information Commissioner’s Office – UK’s data privacy watchdog levied a fine of 20,450,000 euros as a result of a cyber-attack on Marriot’s IT systems. If we get back to the first part of the attack that happened in 2014, Starwood Hotels and Resorts had their IT systems compromised, after which Marriot acquired Starwood. Unfortunately, right from when this happened to September 2018, Marriot remained unaware of the breach. It was found that seven million guest records for people in the UK were compromised, leading to a failure to adhere to GDPR’s personal data protection rules.
6. € 16.7 million on Wind Tre S.p.A.
On July 13, 2020, the telecommunication company Wind Tre S.p.A was fined € 16,700,000 by the Italian DPA for violating the GDPR. The fine was a consequence of more than hundreds of clients complaining about the unlawful processing of their personal data for marketing purposes. The case became intense when clients were not able to withdraw their consent since the company’s data protection policy failed to provide all the essential information.
These are just a few real-life instances of what non-compliance can cost. Despite the advent of progressive technologies that help companies solve a myriad of problems, staying compliant and updated with different legislative changes in different countries has been a tough nut to crack. Companies have always been looking for HR solutions that can help their compliance teams stay proactive with respect to new laws and amendments.
