2024 brought a host of high penalties against US companies, with the highest being a 310 million Euro fine against LinkedIn. While this pales in comparison to the 1.2 billion Euro fine against Meta in 2023, there are plenty of lessons to take away from the enforcement against US companies in Europe last year. Let’s dive into them:
The Five Largest GDPR Penalties Against US Companies in 2024
LinkedIn’s 310M Euro Penalty for Insufficient Legal Basis for Data Processing
LinkedIn took the top spot in terms of dollar figures for GDPR penalties in 2024. The fine related to LinkedIn’s alleged use of member data for targeted advertising and behavioral analysis – without valid consent. The data that was unlawfully processed included information that individuals provided to LinkedIn directly, as well as data from third parties.
The 290M Euro Penalty Against Uber for Unlawful Data Transfers
The penalty against Uber relates to data it sent from Europe to the United States without using a valid cross-border transfer mechanism. During this period, the existing EU-US data framework which Uber had relied on was invalidated by the European Court of Justice and replacement framework had not yet been adopted. During this period, companies, that had relied on the invalidated framework, should have implemented contractual transfer mechanisms to ensure the data of European residents was adequately protected. However, it seems Uber failed to do this and continued to transfer data without a valid transfer mechanism in place. This was the basis for the penalty in 2024.
Meta’s First Penalty for Insufficient Technical Protections
The first of the two large penalties issued to Meta in 2024 came in September but related to technical failings in 2019. It was alleged that Meta failed to encrypt passwords for storage, opting instead to have them stored in plain text. This is widely considered a poor practice, since plaintext can be read by humans without any special keys or software.
Meta’s Second Penalty for Insufficient Technical Protections
The largest penalty Meta received in 2024 was issued in December and related to a data breach that exposed personal information of individuals around the world, including children. Some of the personal information breached included religion, gender, birthdate, and geolocation data.
The breach appears to be the result of a coding error that created a security weakness that could be exploited. However, the 251M Euro fine was levied to address multiple issues, as follows:
- 8M Euros administrative penalty for not including all the required information in a breach notification;
- 3M Euros for failing to document the facts relating to the breach.
- 130M Euros for failing to ensure data protection principles were protected in the design of processing systems; and
- 110M Euros for the overcollection of data.
The 32M Euro Penalty Against Amazon for Employee Surveillance
This fine was issued against a French arm of Amazon, known as Amazon France Logistics. It related to scanning technology that was deployed to track employees’ productivity, quality of work, and periods of inactivity. France’s privacy watchdog ruled that “it was illegal to set up a system measuring work interruptions with such accuracy, potentially requiring employees to justify every break or interruption”. Amazon France Logistics was also fined for video surveillance being stored with inadequate technical security measures in place.
Key Takeaways
- Just because someone gives your company data, doesn’t mean you can use it however you please. You need a valid reason (lawful basis) to use it, and you can only use it for that specific reason.
- Sending your data to different jurisdictions comes with increased risks. You should know and understand your data flows and the risks that come with them.
- Many companies, including those with huge budgets, still haven’t implemented very basic privacy protections. We see this time and time again with breaches that could have been prevented with multi-factor authentication, as well as bad practices like unencrypted/plaintext password storage. By implementing technical security basics, you’ll be ahead of the pack.
- Building privacy into your products from the outset, instead of making it a bolt-on, tends to be cheaper and more effective. The earlier you conduct a privacy impact assessment and implement technical and other privacy measures, the better the result is likely to be.
- A business note: tracking productivity down to the second is likely to cause more headaches than it’s worth when it comes to human inputs (track away when it comes to machines). It’s likely going to serve you, and your company culture, better to look at outcomes more holistically and set daily or weekly targets for individuals and teams.
You can find our downloadable privacy compliance checklist here.
For assistance improving your privacy practices, reach out. Our attorneys are available to help.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.
