In the industry and commerce sector, DPAs from 27 different countries have so far imposed 495 fines (+40 in comparison to the 2024 ETR) on a variety of different enterprises including online platforms, software companies, AI startups, grocery store chains and food-delivery services, with a total fine volume of EUR 953 million (+EUR 56 million in comparison to the 2024 ETR).
Measured by the number of registered cases and the average fines imposed, companies in the industry and commerce sector remain highly affected by the imposition of GDPR fines. The sector remains highly influenced by the second highest fine ever imposed under GDPR (EUR 746 million against Amazon in 2021) and the most registered cases amongst all sectors (495). It is notable that the number of new fines imposed in this sector in 2024 (+40) is considerably lower than in the previous year (+83). The increase of the total fine volume to now EUR 953 million was heavily influenced by a EUR 30.5 million fine imposed by the Dutch DPA against Clearview AI Inc. The average fine amount was virtually identical compared to the 2024 ETR (approx. EUR 2 million).
Most companies in this sector were fined due to an insufficient legal basis for data processing (114), insufficient fulfilment of information obligations (99) and non-compliance with general data protection principles (91). The Spanish DPA (aepd) remains by far the most active DPA, imposing more than 40% of all fines in this sector (204), followed by the authorities of Italy (Garante: 71) and Romania (ANSPDCP: 59).
Let's take a closer look
- The highest fine in the industry and commerce sector in 2024 of EUR 30.5 million was imposed by the Dutch Data Protection Authority (AP) against Clearview AI Inc. (ETid-2448). Clearview AI, a company offering facial recognition services, holds a database of over 30 billion images, including those of Dutch citizens. These images are scraped from publicly available online platforms, such as social media. Clearview uses these images to create biometric profiles, allowing individuals to be identified. During its investigation, the DPA found that the personal data contained in the company's database had been processed unlawfully and without a valid legal basis. Furthermore, Clearview violated the principle of transparency by failing to adequately inform data subjects about the processing of their data. Additionally, the company did not respond to two access requests from data subjects. The company also failed to facilitate the right of access of data subjects located within the territory of the Netherlands. Lastly, the company had not appointed a representative within the European Union as required under the GDPR.
- The Czech DPA (UOOU) fined Avast Software s.r.o. EUR 13.9 million (ETid-2298). Avast Software had disclosed the personal data of around 100 million users of its antivirus software to the US company Jumpshot. Avast had transferred this data, including the users' pseudonymized Internet browsing history in connection with a unique ID, to Jumpshot, but falsely declared it to be anonymised. Users were incorrectly informed about the transfer of anonymised data, although partial identification of the data subjects was possible.
- The Lithuanian DPA (VDAI) imposed a fine of EUR 2.38 million on the second-hand online platform "Vinted" (ETid-2398). The DPA initiated an investigation after the Polish and French DPAs forwarded complaints against the company. During its investigation, the DPA found that the company had not adequately processed deletion requests from data subjects as they had not provided specific reasons for their deletion request. It was also revealed that the company was unlawfully using "shadow blocking" to remove users from the platform without their knowledge, which violated the principles of fairness and transparency. This also impaired users' ability to exercise their rights under the GDPR. In addition, the DPA found that Vinted had not taken sufficient technical and organisational measures to ensure compliance with the principle of accountability and to be able to demonstrate that it had taken appropriate measures regarding the right of access.
- Despite the new seven and eight-figure fines in 2024, the standout fine and the second highest GDPR fine amongst all sectors is the EUR 746 million penalty imposed on Amazon Europe Core S.a.r.l. by the Luxembourg DPA (CNPD) in 2021 (ETid-778).
