A PYMNTS Company

Fines Over EU Data Breach Laws Pass $1.1 Billion

 |  February 28, 2022

Data breaches in Europe can be extremely expensive, with possible penalties reaching up to 4% of a company’s annual turnover, thanks to the General Data Protection Regulation (GDPR), reported PYMNTS. 

Fines for data breaches reached more than $1.1 billion in 2021, with Amazon leading the scoreboard and accounting for much of the total, with a staggering $867 million fine.

Read more: GDPR On The Rise As EU Officials Crack Down

It isn’t just Big Tech companies who need to be aware of this regulation. Infringing Europe’s latest attempt to rein in the internet giants can be easier than expected. One such case is that of Giropay, a German payment platform subject to a complaint by the European Center for Digital Rights for allegedly violating the EU’s GDPR.

According to the complaint, Giropay displayed and processed sensitive personal sexual and health information without customer consent. Article 9 of the GDPR prohibits platforms from processing data “concerning health or data concerning a natural person´s sex life or sexual orientation” without explicit consent.

Giropay is an integrated payment processing service that many retailers use to process customer payment. A customer noticed that the platform had saved data about the products she bought, including some eye drops and product from a sex shop. The key in this case is that Giropay, according to the company, is not responsible for transmitting this information as retailers had sole discretion to share shopping cart information.

The case may be reviewed by the competent data protection agency. If the authority finds that Giropay did breach the GDPR, it may impose a fine. Such a fine would likely be minor given the nature of this infringement, but it will probably ask the company to change its data processing practices to bring them in line with the GDPR.

This case exemplifies how far the GDPR can go when it comes to the collection and processing of personal data, as Giropay didn’t intend to collect personal data, but simply took the data from the shopping cart. Exceptions in the law that allow for the collection of Personal Data, provided it is “customary in the market” and corresponds to the service expectations of the users. While this is a possible avenue for Giropay’s defense, this will need to be proven over the course of an investigation, if the agency opens one.

Want more news? Subscribe to CPI’s free daily newsletter for more headlines and updates on antitrust developments around the world.