GDPR or General Data Protection Regulation is a data regulatory and privacy regulation for protecting all EU citizens. It came into force in 2018 and since then it has penalized many big tech firms for violating these guidelines. Since these regulatory guidelines come into place, individuals have more control over their personal data. And also organizations that are collecting data must use it more responsibly.
Amazon is related to the most popular cases. The Luxembourg National Commission fined €746 million for misusing (Improper handling) of customer data.
One of the most recent cases of GDPR violation was just a week ago when the famous web analytics tool Google “Google Analytics” was banned in the entire European Union. According to the Austrian data protection authority (DPA), Google Analytics was gathering enough data that identified the individuals. This was clearly a violation of the General Data Protection Regulation.
To whom GDPR Rules and Regulations apply:
If you are providing your products or services to foreign lands and want to know if these EU data privacy regulations apply to you or not, then there are simple criteria to know that.
Businesses offering goods and services to the citizens of the European Union or dealing with businesses based in the EU are obliged to follow GDPR guidelines.
Now, what is the definition of personal data according to the General Data Protection Regulation? As the broad definition, the EU citizens’ personal data could be from names, addresses, photos, contact information, generic data, and biometric data to any piece of information that can identify an individual either directly or indirectly.
Biggest GDPR Penalties for Noncompliance
GDPR came into effect in May 2018 and since then it has penalized a lot of companies (including tech giants). Every country has its own governing body that determines the fine based on different factors. Let’s have a look at the topmost heftiest charges in history.
1. Amazon Inc. (€746 Million or $847 Million)
In July 2021, the data protection authority of Luxembourg fined Amazon for violating the GDPR. They accused Amazon of plundering its customer data. The French privacy group La Quadrature du Net, which filed the complaint against Amazon said, they want to ensure that tech giants do not use customer data for behavioral manipulation either for political or commercial purposes.
Though Amazon has completely disregarded all these allegations and currently there is a counter-appeal has begun.
2. WhatsApp (€225 Million or $255 Million)
Another famous name managed to break into the top of the list, i.e. WhatsApp, whose parent company is Meta (Previously Facebook). Meta has always been in the news when it comes to manipulating customer data for their self-interest. They have faced accusations from left and right.
Irish data protection authority has fined $255 Million after the 3-year-long investigation. This happened because WhatsApp was unable to clarify how they were using the EU citizen’s data. Second, there was some complication in data sharing between WhatsApp and Facebook as well.
How Personal Data should be used, as per GDPR
According to the UK GDPR Article 5, there are 7 key principles that govern the rules of utilizing the personal data of customers. Keep in mind that these principles are just a fragment of the entire rules and regulations guide. Though these principles will provide you with an overall summary.
- lawfulness, fairness, and transparency with Customer: Processed lawfully, fairly, and transparently in relation to individuals.
- Purpose limitation of the gathered data: collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, we shall not consider scientific or historical research purposes, or statistical purposes to be incompatible with the initial purposes.
- Minimal use of collected data: Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Data Accuracy: Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Storage limitation: Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. They may store personal data for longer periods where the personal data will be processed solely for archiving purposes in the public interest. Scientific or historical research purposes or statistical purposes are subject to implementing the technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- Integrity and confidentiality: Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
- Accountability: The controller shall be responsible for and be able to show compliance.
These GDPR rules need to be followed by companies in all activities. Safety of customer data matters even from regular email campaigns to biometrics.