Since the EU’s General Data Protection Regulation (GDPR) came into force in 2018, expectation has been rife that Big Tech firms would bear the brunt of enforcement.

So far, that has not happened. To date, there have only been six fines under the GPDR against Big Tech firms, ranging from €28 in Hungary against Google’s Irish subsidiary to France’s €50 million penalty against Google itself. The number of sanctions is likely to change, but progress may be slow: Ireland currently has a backlog of 27 ongoing cross-border inquiries into Big Tech firms, with Facebook and its associated companies accounting for 14 of them.

Meanwhile, other industries have shown to be more prone to data privacy violations than has previously been acknowledged.

GDPR industry fines

Telecommunications firms were on the receiving end of 69 fines under the GDPR and other national data protection laws in 2020—far more than businesses in industries such as finance, healthcare, or technology.

According to a report released earlier this year by Federprivacy, an Italian association of privacy professionals, in 2020 the telecommunications sector received the most sanctions under the GDPR and national data protection laws with 69 fines—more than four times the number against tech firms (16). Among other key sectors, financial services received 28 fines, while healthcare accounted for 17.

At least 10 European data protection authorities have issued GDPR-related fines against the telecoms sector in the past three years. For example:

  • Three of Greece’s 12 fines have been against telecoms (two of which—at €200,000 each—are the highest imposed to date).
  • In 2020, Italy’s three biggest fines were against telecoms: TIM (€27.8 million), Wind Tre (€16.7 million), and Vodafone Italia (€12.25 million).
  • In Spain, Vodafone alone has been hit with nearly 40 fines since the GDPR came into force, ranging from €3,000 to €120,000, according to the GDPR Enforcement Tracker.

Carl Atkinson, employment lawyer at law firm Gunnar Cooke, says “part of the reason why telecom companies have been subject to high levels of enforcement is due to their business model, in which they hold large volumes of personal and financial data.” He adds since the telecoms sector is particularly data-driven, it will be attractive to criminals who want to gain access to customers’ identity information and bank account details. Consequently, any failure to protect customer information will be serious given the number of customers potentially at risk.

Another reason why telecoms have been in the firing line, say experts, is due to the way they have misused customer information to push sales (often aggressively). Italy’s three large fines against telecoms last year were primarily concerned with telemarketing, for example.

Experts say other industries that hold massive amounts of customer personal and financial data are also ripe for sizeable penalties if either a breach occurs or the information is misused for business purposes. The hotel industry is one, while airlines is another. Both sectors account for two of the biggest fines under the GDPR: British Airways and Marriott (£20 million and £18.4 million, respectively).

“There are plenty of companies out there that are deliberately misusing personal data to gain a financial and competitive advantage, and that is not necessarily what telecom firms and others are doing. It is more likely they are failing to comply through ineffective controls and procedures rather than a willful disregard of the rules.”

Camilla Winlo, Director of Consultancy, DQM GRC

Aman Johal, director of consumer law firm Your Lawyers, says the aviation industry has been particularly vulnerable to data breaches. In 2018, British Airways endured two cyber-attacks that affected over 400,000 customers, while last year EasyJet suffered a “highly sophisticated cyber-attack” that saw the personal details of some nine million customers exposed.

“The British Airways case was seemingly not enough to stir its competitors to prevent cyber-attacks, and the industry still does not seem to have learned its cyber-security lesson,” says Johal. “Airlines must be vigilant to prevent cyber-attacks but, sadly, this is a responsibility that too many in the sector have failed to uphold.”

Camilla Winlo, director of consultancy at data privacy specialist firm DQM GRC, says those industries that are key players in the “data ecosystem” are potentially most at risk of breaches and therefore fines—namely, Big Tech, telecoms, and financial services.

These sectors, she says, are heavily data-driven and are involved in large-scale data processing. Additionally, the vast majority of customers are concentrated among just a few players whose churn rates are low, which can lead to companies being complacent about compliance because customers have tended to stick with them due to lack of choice.

The lack of competition in these key industry sectors means “users are dependent on regulators enforcing good practice,” says Winlo. “It should therefore come as no surprise these industries are the recipients of the majority of fines.”

However, she adds “we should not assume these industries are necessarily the worst offenders.

“There are plenty of companies out there that are deliberately misusing personal data to gain a financial and competitive advantage, and that is not necessarily what telecom firms and others are doing. It is more likely they are failing to comply through ineffective controls and procedures rather than a willful disregard of the rules.”

Instead, Winlo believes Big Tech firms pose a larger risk. “Due to the lack of choice in the market, these dominant companies can exert undue influence and control over their customer bases and the data they collect in exchange for use of their services.

“Facebook and Google are great marketing tools for many businesses. But there is a problem—if a company doesn’t want to use them because it feels their data policies are abusive, where else would it go? … In practice, most organizations have no realistic option but to use these platforms, and so the extent to which individual organizations can comply is dependent on the compliance posture of the platform.”