Data breaches in Europe can be extremely expensive, with possible penalties reaching up to 4% of a company’s annual turnover, thanks to the General Data Protection Regulation (GDPR), reported PYMNTS.
Fines for data breaches reached more than $1.1 billion in 2021, with Amazon leading the scoreboard and accounting for much of the total, with a staggering $867 million fine.
Read more: GDPR On The Rise As EU Officials Crack Down
It isn’t just Big Tech companies who need to be aware of this regulation. Infringing Europe’s latest attempt to rein in the internet giants can be easier than expected. One such case is that of Giropay, a German payment platform subject to a complaint by the European Center for Digital Rights for allegedly violating the EU’s GDPR.
According to the complaint, Giropay displayed and processed sensitive personal sexual and health information without customer consent. Article 9 of the GDPR prohibits platforms from processing data “concerning health or data concerning a natural person´s sex life or sexual orientation” without explicit consent.
Giropay is an integrated payment processing service that many retailers use to process customer payment. A customer noticed that the platform had saved data about the products she bought, including some eye drops and product from a sex shop. The key in this case is that Giropay, according to the company, is not responsible for transmitting this information as retailers had sole discretion to share shopping cart information.
The case may be reviewed by the competent data protection agency. If the authority finds that Giropay did breach the GDPR, it may impose a fine. Such a fine would likely be minor given the nature of this infringement, but it will probably ask the company to change its data processing practices to bring them in line with the GDPR.
This case exemplifies how far the GDPR can go when it comes to the collection and processing of personal data, as Giropay didn’t intend to collect personal data, but simply took the data from the shopping cart. Exceptions in the law that allow for the collection of Personal Data, provided it is “customary in the market” and corresponds to the service expectations of the users. While this is a possible avenue for Giropay’s defense, this will need to be proven over the course of an investigation, if the agency opens one.
Want more news? Subscribe to CPI’s free daily newsletter for more headlines and updates on antitrust developments around the world.
Featured News
Top Antitrust Expert Joins Cravath from Paul Weiss
Jan 21, 2025 by
CPI
CMA Chief Removed as UK Government Targets Regulatory Overhaul
Jan 21, 2025 by
CPI
Court Denies Dismissal in Crab Price-Fixing Lawsuit
Jan 21, 2025 by
CPI
TikTok Stays Online for Now: Trump Floats US Ownership Deal
Jan 21, 2025 by
CPI
Hong Kong Watchdog Unveils Compliance Tool for Small Businesses
Jan 21, 2025 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – Pharmacy Benefit Managers
Jan 20, 2025 by
CPI
Untangling the PBM Mess
Jan 20, 2025 by
Kent Bernard
Using Data, Not Anecdotes, to Analyze Criticisms of Pharmacy Benefit Managers
Jan 20, 2025 by
Dennis Carlton
Vertical Integration and PBMs: What, Me Worry?
Jan 20, 2025 by
Lawton Robert Burns & Bradley Fluegel
The Economics of Benefit Management in Prescription-Drug Markets
Jan 20, 2025 by
Casey B. Mulligan