Five Biggest Data Protection Fines and Settlements of 2024

Large-scale data breaches and privacy violations have become a common occurrence over the past decade amid the vast collection of personal information online.

In response, a plethora of data protection and cybersecurity regulations have come into force, enabling authorities get tougher with businesses who fail to adequately protect individuals’ personal data.

Eye-watering financial penalties for cybersecurity and privacy failings have become commonplace in the EU since the General Data Protection Regulation (GDPR) came into effect in 2018, with authorities taking a particularly hard line since mid-2021.

This approach aims to send a strong message to organisations that they must implement robust controls and solutions to protect people’s personal data.

In 2024 we have seen a continuation of this trend across the EU, while over in the US, regulators have also stepped up the consequences for data protection violations.

Additionally, in the US in particular, class action lawsuits for data breaches and privacy violations have become commonplace, further increasing the consequences for businesses of not securing user data.

In July, the State of Texas revealed it reached a $1.4bn settlement with social media giant Meta for unlawfully capturing and using biometric data of millions of Texans.

The settlement concludes a lawsuit filed by Texas Attorney General Ken Paxton in February 2022, which alleged that Meta unlawfully captured Texans’ biometric data without obtaining their informed consent. This breached Texas’s Capture or Use of Biometric Identifier (CUBI) Act and The Deceptive Trade Practices Act.

The lawsuit relates to the Tag Suggestions feature on Meta’s Facebook which was rolled out in 2011. This made it easier for users to ‘tag’ photographs with the names of people in the photo.

Facebook ran facial recognition software on virtually every face contained in the photographs uploaded to the social media platform, capturing records of the facial geometry of the people depicted.

This process was undertaken without informing or obtaining the consent of Facebook users.

The agreement is the largest ever privacy settlement in the US to date.

The Irish Data Protection Commission (DPC) issued a €310m ($336m) fine to LinkedIn in October for violating the GDPR in its advertising practices.

LinkedIn used information it received directly from its members as well as data obtained via its third-party partners relating to its members for the purposes of behavioural analysis and targeted advertising.

The DPC concluded that LinkedIn infringed Articles 5, 6, 13 and 14 of the GDPR for failing to request formal consent from users to process third-party data, not ensuring legitimate interest for processing the first-party personal data of its members and failing to ensure users’ personal data was collected following a principle of fairness.

Transportation firm Uber was hit by a €290m ($324m) fine by the Dutch Data Protection Authority (AP) in August for violating the GDPR by storing driver data in the US without adequate safeguards.

The penalty related to concerns that European citizens’ human rights may be endangered if their data is stored in the US without safeguards, as their personal data may otherwise be accessed and queried by law enforcement and intelligence agencies there.

The AP claimed Uber had not used Standard Contractual Clauses (SCCs) or other means to ensure that citizens’ personal data stored on US servers received levels of protection equivalent to those in the EU.

It said that sensitive personal information included account details, taxi licenses, location data, photos, payment details, IDs and in some cases drivers’ criminal and medical records. These were transferred to Uber’s headquarters in the US for over two years without proper safeguards, the AP added.

In September, Ireland’s DPC announced it had fined Meta €91m ($102m) for mishandling social media users’ passwords and GDPR infringement.

The initial inquiry began in April 2019 after Meta notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems, meaning no cryptographic protection or encryption was in place.

This was considered a severe security failing as such information would enable access to users’ social media accounts.

Meta said that there is no evidence the passwords were abused or accessed improperly.

However, the firm was found to have breached GDPR in numerous ways, including not ensuring the ongoing confidentiality of user passwords.

Pennsylvania healthcare company Lehigh Valley Health Network (LVHN) agreed a class action lawsuit worth $65m in September following a medical record hack affecting 600 patients and employees.

The lawsuit began in March 2023 after hackers accessed highly sensitive data held by LVHN including addresses, email addresses, dates of birth, Social Security numbers and passport information, alongside various medical data and some nude photos.

The settlement is believed to be the largest of its kind, on a per-patient basis, in a healthcare data breach-ransomware case.

The financial consequences for failing to properly protect personal data is now impacting businesses in a substantial way, both in the EU and US.

Regulators will hope this approach will ensure cybersecurity and data protection becomes a bigger issue in the boardroom, ultimately translating into stronger measures being implemented to avoid these costly penalties from occurring.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?