Review of GDPR fines and data breaches 2023
06. March 2024Review of GDPR fines and data breaches
The year 2023 is now behind us – and it's time to take another look at the fines imposed by data protection supervisory authorities. We've investigated why the total amount of all European fines was significantly higher than in the previous year and how German supervisory authorities compare with other EU countries in terms of fines.
Higher fines than in the previous year
In 2022, we reported that the total amount not only exceeded EUR 1 billion, but had surpassed this mark by around 50 percent, reaching EUR 1.64 billion.
With a new record total of EUR 2.11 billion, European data protection authorities have once again recorded an increase, this time of ~29%. It should be noted that when querying our database, we only record fines for which the date of the decision is known. The query period is January 1 to December 31, 2023.
In 2023, one company in particular made headlines: Meta. The US internet group, which owns the social networks Facebook, Instagram, and Threads, as well as the instant messaging apps WhatsApp and Messenger, received two record-breaking fines.
First, on May 12, 2023, the Irish Data Protection Authority imposed the second-highest fine ever: EUR 1.2 billion for a violation of Art. 46(1) of the GDPR. In providing the Facebook platform, Meta Ireland transferred personal data from the EU/EEA to the United States.
In doing so, it failed to provide adequate protection against the associated risks to the fundamental rights and freedoms of the data subjects. The ECJ had previously confirmed the risks of data transfers in a ruling against Facebook.
On the other hand, Meta had already been fined at the beginning of the year on January 4, 2023, which had also been imposed by the Irish Data Protection Authority: a €390 million penalty for a violation of Article 6 of the GDPR.
The authority found that Meta Ireland was not entitled to invoke the legal basis of “contract performance” (Article 6(1)(b) GDPR) in connection with the provision of behavioral advertising as part of its Facebook and Instagram services. In doing so, it violated applicable data protection law.
These two fines alone, with a total amount of EUR 1.59 billion, were already close to the previous year's total.
German fines
German data protection authorities imposed only 357 fines totaling around EUR 4.94 million over the course of last year. As not all authorities have commented on the number and amount of fines, this figure should be understood as a lower limit.
Compared to the previous year, there has been a slight decrease in the amount and a significant decrease in the number of fines – in 2022, there were 453 fines totaling EUR 5.8 million.
With 64 fines imposed, Berlin was at the top of the list this year in terms of number. Saxony followed with 60, followed by Bremen and Thuringia with 32 fines each.
The highest fine was imposed by the Bavarian State Office for Data Protection Supervision against an unknown company in the seven-digit range.
The second-highest fine in 2023, amounting to EUR 300,000, was imposed by the supervisory authority in Berlin. The sanction was directed against the credit card issuance practices of a Berlin bank. The financial institution, which was not named in the press release issued by the Berlin data protection authority, had used an algorithm to issue credit cards.
This was based on various information that applicants had to enter in an online form on its website. One affected party had complained to the data protection authority about the process after his application was rejected without any specific reason, despite a good credit score and a regularly high income.
Third place in the 2023 ranking also went to a fine from Berlin – this time against Humboldt Forum Service GmbH. The company had created a table summarizing all employees in their probationary period, openly classifying the continued employment of several people as “critical” or “very critical.” The reasons given were sensitive personal data, such as the use of psychotherapy or interest in setting up a works council.
In addition, the authority criticized the lack of involvement of the company's data protection officers in the creation of the list and the fact that they were not mentioned in the processing directory, as well as the delayed reporting of a data breach. The violations ultimately resulted in a fine of EUR 215,000.
Fines imposed by the Bundesnetzagentur
This year, we also inquired with the Federal Network Agency in addition to the German data protection authorities. Although this authority does not impose fines under the GDPR, the fines often relate to data protection issues, such as unauthorized contact for advertising purposes.
In 2023, the BNetzA imposed eight fines totaling EUR 1.43 million. Most cases involved so-called cold calls, in which consumers are confronted with unauthorized advertising calls. According to Section 7 (2) No. 1 of the Unfair Competition Act (UWG), these calls constitute unreasonable harassment. Such harassment can be punished by the Federal Network Agency as an administrative offense with a fine of up to EUR 300,000 in accordance with Section 20 (1) No. 1 and (2) and (3) UWG.
Comparison with other EU countries
As in previous years, we have compared the activities of the German authorities with the fine practices of other large EU countries. This year, we again looked at France, Spain, and Italy.
France
The French data protection authority CNIL recorded an increase in 2023 compared to the previous year. While there were only 14 fines in 2022, this number rose to 42 sanctions in 2023. The total value of the sanctions amounted to EUR 89,179,500.
Interestingly, 24 of these proceedings were decided under the simplified sanction procedure. These are handled without extensive consultation or public hearings, are capped at EUR 20,000 in the case of fines, and may not be made public. Nevertheless, the CNIL commented on their amount in its annual report – the total amount of these sanctions was EUR 229,500.
But aside from the simplified sanction procedures, there were definitely some highlights. For example, Criteo received a fine of EUR 40 million, Amazon France Logistique was fined EUR 32 million, Yahoo EMEA Limited EUR 10 million, Voodoo EUR 3 million, and TikTok EUR 2.5 million at the beginning of the year.
Particularly relevant in 2023 were the fines imposed for illegal advertising. The authority made it clear that advertising, regardless of its type, whether as an electronic message or a targeted reference, may only be displayed after the consent of the person concerned has been obtained.
Spain
The Spanish data protection authority continued the trend it had started in previous years and imposed a total of 309 fines in 2023, amounting to EUR 9,345,760. In 2023, the majority of the fines imposed by the Spanish authority again consisted of smaller sums in the low four or five-digit range.
However, there were a few exceptions: Openbank was fined EUR 2.5 million for asking customers to send sensitive banking data to the company via unsecured email. The authority imposed a fine of EUR 800,000 on Banco Bilbao Vizcaya Argentaria after the bank failed to comply with a card blocking request.
Italy
The Italian data protection authority imposed 124 fines in 2023, slightly fewer than in the previous year. With fines totaling EUR 25,057,100, the authority ranks third in Europe, with only France and Ireland imposing higher fines this year.
A major factor in this was, for example, the €10 million fine imposed on Axpo Italia – the energy supplier had concluded new contracts door-to-door via a network of around 280 salespeople. No adequate control mechanisms were used to verify the data entered during these campaigns.
The telecommunications company TIM was fined ~7.6 million euros after complaints about unwanted advertising calls piled up – some victims were bombarded with unwanted calls up to five times a day.
Edison Energia also attracted attention for its repeated advertising calls, prompting the authority to ban the company from telephone advertising and impose a fine of EUR 2.45 million.
Result of the comparison
In direct comparison with other large EU countries, the German supervisory authorities are once again falling behind this year, continuing the previous year's trend of declining figures in a European comparison. Spectacular fines against large corporations, as seen last year, are rare.
Data breaches
In 2023, the number of data breaches reported to German supervisory authorities in accordance with Art. 33 GDPR reached a slight high of 24,749. With a slight increase compared to the previous year (21,170) and again more than in 2021 (just under 13,900), 2023 represents a steady development.
As statistics on reported data breaches were not available from all supervisory authorities at the time of publication of this article, the article will be revised accordingly when additional reports are received.
Baden-Württemberg recorded the most breaches in 2023 (2,913), followed by Bavaria (2,753) and North Rhine-Westphalia (2,039). The majority of data breaches were related to hacker attacks, data loss, incorrect document delivery, or technical defects.
Apart from the supervisory authority, the Federal Commissioner for Data Protection and Freedom of Information was the authority with the most reported breaches, with a total of 9,234 violations reported.
Interest and the need for advice on the GDPR seem to have increased again somewhat. However, figures such as those seen at the start of the GDPR will not be reached for the time being.
Court rulings
With the publication of our new court ruling database, we would like to take this opportunity to report on this year's notable rulings.
For example, the ECJ made headlines at the end of the year: With its landmark ruling C-340/21, it laid the foundation for effective claims for damages against companies. The ECJ ruled that the fear of possible misuse of personal data can constitute non-material damage. This has greatly strengthened the position of victims of security incidents at companies.
The ECJ's decision Az. C-807/21 against Deutsche Wohnen also caused quite a stir. The ECJ finally clarified the fundamental question of attributing misconduct to legal entities when imposing sanctions under Article 83 of the GDPR. This court decision has a direct impact on fines. Data protection authorities have repeatedly pointed out that the ECJ decision will bring a number of proceedings against companies to a close. More on this in the outlook!
Last but not least, the ECJ's decision in case C-683/21 was groundbreaking. According to this decision, a controller can also be fined for processing operations carried out by a processor on its behalf. This does not apply if the processor has processed data for its own purposes or has deviated significantly from the original agreement.
The wave of lawsuits against Facebook following the data scraping incident has also not subsided. For proceedings such as those before the Regional Court of Münster, 017 O 344-22, the ECJ decision could also already have realistic consequences, as the previously flatly denied element of “concrete, causal damage” could now take effect after all.
To stay up to date on new court decisions or browse older cases, take a look at our new database!
Outlook
As early as 2022, the Clearview AI case had us preoccupied with the relationship between the GDPR and artificial intelligence, and nothing changed in this regard in 2023. The rapid development of AI presented European data protection authorities with new questions and problems. For example, ChatGPT was blocked by the Italian data protection authority for a certain period of time – currently, a renewed ban and a fine are under consideration. It remains to be seen whether data protection can be adequately ensured through the use of artificial intelligence.
In 2023, data protection authorities in various countries declared war on unauthorized telephone and internet advertising. The large fines imposed in France and Italy give an indication of what we can expect in 2024 – the boundaries in the area of advertising will be drawn even more clearly and further fines are to be expected.
But 2024 will also be an exciting year in Germany. It is to be expected that various security incidents in 2023 will result in fines. One example is the ransomware attack on the hotel chain Motel One, in which hackers from the ALPHV group managed to gain access to 24 million files totaling 6 TB.
Over 5 TB of this data has been sold on the darknet so far, which is a massive problem – the published data probably includes millions of private billing addresses, dates of birth, and almost complete lists of overnight stays in recent years.
Due to the ECJ's clarification of the issue of attributing data protection violations to legal entities, we expect a significant increase in fine proceedings in Germany. In particular, the authorities are likely to venture into imposing high fines again and bring ongoing proceedings to a conclusion with greater legal certainty. The growing number of cyberattacks will also provide a steady stream of new cases for fines.
Overview by supervisory authority
The table includes the fines reported to us by the supervisory authorities. It will be updated accordingly as the authorities submit further information.
| Supervisory authority | Total fines | Total in € | Data breaches |
|---|---|---|---|
| Baden-Württemberg | 11 | 15,800 | 2,913 |
| Bavaria (non-public sector) | n.a. | 3,800,000 | 2,753 |
| Bavaria (public sector) | 0 | 0 | n.a. |
| Berlin | 64 | 549,410 | 1,129 |
| BfDI | 0 | 0 | 9234 |
| Brandenburg | 10 | 13,900 | 495 |
| Bremen | 32 | 147,465 | 176 |
| Hamburg | 8 | 86,480 | 925 |
| Hessen | 124 | 56,810 | 1,934 |
| Mecklenburg-Vorpommern | n.a. | n.a. | n.a. |
| Lower Saxyon | n.a. | n.a. | n.a. |
| North Rhine-Westphalia | n.a. | n.a. | 2039 |
| Rhineland-Palatinate | 8 | 6.630 | 678 |
| Saarland | 8 | 208,375 | 727 |
| Saxony | 60 | 28,090 | 949 |
| Saxony-Anhalt | n.a. | n.a. | n.a. |
| Schleswig-Holstein | 0 | 0 | 498 |
| Thuringia | 32 | 31,490 | 299 |
| Total | 357 | 4,944,411 | 24,749 |