The Media, Telecoms and Broadcasting sector is still a sector of great importance for the supervisory authorities and the sector that still accounts for the majority of fines. To date, fines in this sector amount to EUR 3,996,956,428 (+ EUR 684,549,062 in comparison to the 2024 ETR) based on 314 fines (+ 56 fines in comparison to the 2024 ETR). This is partly due to the fact that the turnover of the companies is very high and partly due to the underlying business models of the companies that are usually data-driven.
The average fine in 2024 was EUR 12,976,833. The highest fine of 2024 was imposed on LinkedIn with EUR 310,000,000 (ETid-2469) for processing data on an insufficient legal basis. At the same time, this is the 6th highest fine ever imposed on a company since the GDPR came into force. The second highest fine in 2024 was imposed on Meta Platforms Ireland Limited with EUR 251,000,000 (ETid-2484) in December. This is also the 9th highest fine ever imposed on a company since the GDPR came into force. Both fines show that the supervisory authorities are willing to tap the full potential of possible fines.
It is worth noting that the fines for the report timeframe only came from five different countries (Ireland, Spain, Italy, Romania and the Netherlands) with the Spanish “aepd” being the most active supervisory authority for this sector with a total of 13 fines.
Let's take a closer look
- The increase of fines implemented on the companies in this sector amounts to roughly EUR 700 million, which compared to other sectors is a very significant increase. It is however considerably less than the increase of the preceding year 2023 for this sector (EUR 1.6 billion). This record amount was largely due to the fine imposed on Meta Platforms of EUR 1.2 billion for processing data on an insufficient legal basis (ETid-1844). This fine remains to date the highest fine ever imposed on a company under the GDPR.
- The highest fine imposed in this sector in the reporting timeframe was on LinkedIn by the Irish DPA and amounted to EUR 310,000,000 (ETid-2469). The Irish DPA issued a draft decision under the cooperation mechanism of Art. 60 GDPR in July 2024. Art. 60 GDPR requires the lead supervisory authority (in this case the Irish authority) to cooperate with the other supervisory authorities concerned to reach consensus on investigations. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other. The other supervisory authorities did not raise any objections to the draft decision. During the investigation it was disclosed that LinkedIn had no valid legal basis for processing user data for the purposes of behavioural analysis and targeted advertising. The Irish DPA found that LinkedIn had not obtained sufficient consent since the users did not appear to have given it freely and unambiguously or to have been sufficiently informed. Additionally, the Irish DPA found that LinkedIn could not rely on its legitimate interests (Article 6 (1) f) GDPR) because fundamental rights and freedoms of the users outweighed the interests of LinkedIn. The authorities also ruled that LinkedIn could not rely on the contract with the users (Article 6 (1) b) GDPR) as a legal basis. Finally, in the opinion of the Irish DPA, LinkedIn had not provided users with sufficient information about the data processing in accordance with Art. 13 (1) c) GDPR and Art. 14 (1) c) GDPR. Investigations into LinkedIn for this violation started back in 2018 due to a complaint from the French NGO 'La Quadrature Du Net'.
- The second highest fine was imposed by the Irish DPA, which fined Meta Platforms Ireland Limited in the amount of EUR 251,000,000 in December (ETid-2484). The root of the fine was a data breach that affected 29,000,000 accounts on Facebook. The breach occurred in 2018 and compromised names, email addresses, phone numbers and children’s data. The breach was a result of the exploitation of user tokens on the platform by unauthorised third parties. The DPA accused Meta of several violations that led to the total fine. The violations included violations of Art. 33 GDPR (EUR 11,000,000), as information was missing from the data breach notification, for example; and of Art. 25 GDPR (EUR 240,000,000), concluding that Meta had failed to ensure that data protection principles were protected in the design of processing systems and had failed in its obligations as a controller to ensure that, by default, only personal data that are necessary for specific purposes are processed.
- For the first time the use of the AI chatbot “ChatGPT” was fined by the Italian authorities (ETid-2497) in the amount of EUR 15 million. Investigations into the use of the AI chatbot of OpenAI OpCo LLC started in March 2023. Violations found by the Italian DPA included failure to notify the DPA of a data breach that occurred in 2023, using users' personal data to train ChatGPT without providing a valid legal basis for such processing, and the violation of the principle of transparency. Furthermore, the California-based company did not sufficiently implement age verifications, which risked exposure of children under 13 years of age. Also, the Italian DPA firstly obligated OpenAI to carry out a six-month public information campaign to educate users on how ChatGPT processes data and how they can exercise their GDPR rights. Due to the cooperation of OpenAI with the authorities the fine “only” amounted to EUR 15,000,000; without such cooperation the fine might have been (much) higher.
- Netflix International B. V. was fined by the Dutch authorities (ETid-2507) in the amount of EUR 4.75 million due to insufficient information for customers. The investigations were caused by claims from the NGO “noyb”; an organisation formed by privacy activist Max Schrems from Austria. The authorities found that Netflix did not sufficiently inform customers about the processing of their personal data between 2018 and 2020. The privacy policy was unclear in some parts and did not provide sufficient information on the purpose and legal basis of the data collection and use. The Dutch chairman of the DPA Aleid Wolfsen found that information from such a big company as Netflix “must be crystal clear”. In addition, requests from data subjects regarding retained data were not answered adequately. Netflix has since revised the privacy policy.
Main takeaways
The media, telecommunications and broadcasting sector is one of the most fined sectors. It makes up 70 % of the fines imposed on companies under the GDPR. The supervisory authorities are continuing to use the full frame of possible fines. Due to the big players in this sector and increasing relevance of personal data for their businesses, this sector will probably continue to be closely watched by supervisory authorities.
Many NGOs fighting for sufficient privacy have picked up on privacy issues and often tip off the authorities to start investigations. This trend might become even more relevant in the coming years since NGOs are now seeing the fruit of their work.
