ThinkTank_Logo_black
The wait is over
Ailance™ ThinkTank is here!

GDPR fines in December 2024: Fines in the millions against Meta, Orange, OpenAI, Netflix and Telefonica

GDPR fines December 2024
Categories:

The European data protection authorities also imposed fines in the millions in December 2024. A fine of 251 million euros was imposed on Meta alone. The mobile communications group Orange was fined 50 million euros. And a fine of 15 million euros was imposed on the ChatGPT company.

Meta Platforms Ireland Ltd.: 251 million euros (Ireland)

On December 17, 2024, the Irish Data Protection Commission (DPC) announced its final decisions on two investigations against Meta Platforms Ireland Limited. These investigations were initiated by the DPC on its own initiative after Meta reported a personal data breach in September 2018. The incident affected around 29 million Facebook accounts worldwide, including around 3 million accounts of users from the EU. Compromised personal data included full name, email address, phone number, location, workplace, date of birth, religion, gender, timeline posts, group memberships and even children's data.

The data breach was caused by the exploitation of user tokens by unauthorized third parties on the Facebook platform. Meta and its parent company in the US remedied the incident shortly after it was discovered. Nevertheless, following an in-depth investigation, the DPC found several breaches of the General Data Protection Regulation (GDPR) and imposed fines totaling 251 million euros. The infringements in detail:

  • Article 33(3) GDPR - Meta did not provide all the information required under this provision when reporting a data breach, even though this would have been possible. The DPC imposed a fine of 8 million euros for this.
  • Article 33(5) GDPR - Meta failed to adequately document the facts of each incident and the remedial measures taken to enable the supervisory authority to verify compliance. A fine of €3 million was imposed for this breach.
  • Article 25(1) GDPR - Meta failed to take data protection principles into account at the design stage of the processing systems. This infringement was punished with a fine of 130 million euros.
  • Article 25(2) GDPR - Meta failed to comply with its obligation as a controller to ensure that personal data is only processed for specified purposes by default. This infringement was punished with a fine of 110 million euros.


Source:
Communication from the Irish Data Protection Commission

Orange SA: 50 million euros (France)

The French data protection authority "Commission Nationale de l'Informatique et des Libertés" (CNIL) announced on December 10, 2024 that it had imposed a fine of 50 million euros on the leading French telecommunications provider Orange SA.

In its investigation, the CNIL found that Orange placed advertisements in users' inboxes that were visually almost indistinguishable from regular emails. According to Article L. 34-5 CPCE, the prior consent of the data subject is required for any form of electronic advertising. This practice was contrary to the case law of the European Court of Justice (ECJ), according to which any advertising that appears in a user's inbox is considered to be the use of emails for advertising purposes and is only permitted with the user's express consent. Although Orange discontinued this practice in November 2023 and has used more clearly labeled advertising since then, the CNIL classified the previous implementation as a serious infringement. The high number of users affected - more than 7.8 million - as well as the financial benefit Orange gained from the sale of advertising space were taken into account when assessing the fine.

In addition, the CNIL found that the cookies set by users continued to be read by Orange despite the withdrawal of consent. Article 82 of the French Data Protection Act (Loi Informatique et Libertés) stipulates that any storage or further processing of information on end devices may only take place with the express consent of the user and that this consent must be revocable at any time. This practice not only violates the relationship of trust between user and provider, but is also contrary to the basic principles of the General Data Protection Regulation (GDPR) and the Data Protection Act (Loi Informatique et Libertés). The CNIL saw Orange's practice as a clear violation of these regulations, as users could not be sure that their revocation was technically implemented. The CNIL emphasized that it is Orange's responsibility to implement technical solutions that prevent cookies from being read after they have been revoked. In the case of cookies placed by Orange's partners, the company is responsible for ensuring that these partners also take appropriate measures.

In addition to the fine of 50 million euros, the CNIL has also issued an order to stop the unauthorized reading of cookies within three months. A fine of 100,000 euros was imposed for each day of delay.

Source: CNIL fines Orange SA.

OpenAI: 15 million euros (Italy)

The Italian data protection authority (Garante per la Protezione dei Dati Personali) has fined OpenAI, the company behind the AI-supported chatbot ChatGPT, 15 million euros.

The investigation was launched in March 2023 after the data protection authority found violations in connection with the processing of personal data by OpenAI. The key allegations against OpenAI included:

  1. Failure to report a data breach: OpenAI had not properly notified the authority of a data breach that occurred in March 2023.
  2. Insufficient legal basis for data processing (breach of Article 6 GDPR): OpenAI has processed personal data of users and non-users for the development and training of ChatGPT without an adequate legal basis.
  3. Violation of the transparency requirement: OpenAI has not sufficiently informed the data subjects about the processing of their data, as required by Art. 12 and 13 GDPR.
  4. Lack of age verification (violation of Art. 8 GDPR): The lack of age verification resulted in children under the age of 13 being exposed to potentially inappropriate content.


The Italian data protection authority not only imposed a fine of 15 million euros, but also made use of the powers under Art. 166 of the Italian Data Protection Act for the first time. OpenAI was obliged to carry out a broad-based information campaign via radio, television, print media and the Internet. The aim of this measure is to inform the public about how ChatGPT works, how data is collected and the rights of those affected. The six-month campaign is intended to inform users and non-users about how they can exercise their rights to object, erasure and rectification in accordance with the General Data Protection Regulation.

As OpenAI now has its European headquarters in Ireland, the proceedings were handed over to the Irish Data Protection Authority, which is now conducting further investigations as the lead supervisory authority.

Source: Notice of fine Garante per la Protezione dei Dati Personali against OpenAI

Netflix International BV: 4.75 million euros (Netherlands)

The Dutch data protection authority Autoriteit Persoonsgegevens (AP) has imposed a fine of 4.75 million euros on Netflix International B.V.. The streaming service was penalized for several violations of the General Data Protection Regulation (GDPR), including a lack of transparency in its privacy policy and failure to comply with information obligations when responding to requests for information.

Netflix was accused of not providing sufficient information on the purposes and legal basis of data processing in the company's privacy policy. The information on the recipients of personal data, storage periods and international data transfer was also incomplete. In addition, Netflix did not respond to customer requests for information with sufficient specificity. These infringements relate to Articles 12, 13 and 15 of the General Data Protection Regulation, which oblige companies to process personal data in a transparent, comprehensible and accessible manner.

The investigation was initiated after the organization "None Of Your Business" (NOYB) submitted complaints on behalf of data subjects. NOYB criticized Netflix for not providing detailed information about the purposes of data processing, the categories of data concerned or the recipients when responding to requests for information. These gaps hindered the exercise of data subjects' rights, such as the right to erasure or the right to object.

In his decision published on December 18, 2024, the EDPS noted that the breaches could have a significant impact on the rights and freedoms of data subjects, as Netflix has millions of users worldwide, a significant proportion of whom are based in the European Union. However, Netflix was credited with having revised and improved its privacy policy several times during the proceedings. Nevertheless, the changes made were deemed insufficient to fully comply with the requirements of the General Data Protection Regulation.

The fine imposed takes into account both the seriousness of the infringements and Netflix's market position. The AP emphasized that transparency and the protection of personal data are central pillars of the GDPR and that violations of these principles cannot be tolerated. In addition, the sanction is also intended to have a deterrent effect to ensure compliance with data protection regulations. Netflix has appealed against the fine.

Source: Fining notice from the Autoriteit Persoonsgegevens against Netflix

Telefonica des España: 1.3 million euros (Spain)

The Spanish data protection authority Agencia Española de Protección de Datos (AEPD) has imposed a fine of 1.3 million euros on Telefónica after the personal data of its customers was compromised by a security breach. The mobile phone company had uncovered a security incident in September 2022 in which unknown persons had used employees' login details to infiltrate the company network in order to steal data.

The investigation revealed that 1,021,253 people were affected by the security breach, including customers of the subsidiaries Movistar and O2. The AEPD found that the technical and organizational measures to protect the collected data were inadequate. These could have prevented the error. For example, the user name and password were sufficient to successfully log into the company network.

The fine consists of two penalties: EUR 500,000 for the breach of Art. 5 para. 1 lit. f GDPR and EUR 800,000 for the breach of Art. 32 GDPR.

Source: Notice of fine from the Agencia Española de Protección de Datos against Telefonica

Now new: the intelligent Ailance™ chatbot
Answers to your questions about data protection & compliance and Ailance™ solutions at the click of a button. This is now possible thanks to the new Ailance™ chatbot.
Tags:
Share this post :
en_USEnglish