In this #36 issue of “Lexing Insights” the members of the Lexing network focus on “Fines by Data Protection Authorities in 2022”.

Overview of the 2022 convictions

Over the last 2 years, there have been a significant increase in the number of convictions by data protection authorities against private organizations and, more and more, against public organizations as well.

Of course, large IT companies, such as Google or Meta, have been regularly condemned, often for extremely large amounts, but smaller companies or public bodies are also prosecuted, more and more regularly.

Furthermore, pressure on data protection authorities from consumer groups or associations is a growing phenomenon that organizations should not underestimate in terms of compliance.

Finally, the matter of cross-border flows to the United States remains nowadays an unresolved issue for European companies. It has as well led to a certain number of sanctions, in particular, in respect of cookies.

A world tour of fines by data protection authorities

In this #36 issue of “Lexing Insights”, we offer you an overview of the 2022 convictions by data protection authorities in

  • –Africa:  data protection authorities in Africa have begun fining organisations for non-compliance with data protection laws. In Angola, Africell was fined $150 000 for failing to get prior authorisation and in Kenya, Oppo was fined KES 5 million for not complying with an enforcement notice. South Africa’s data protection authority, the information regulator, is currently investigating complaints and is likely that the next fine will be from South Africa;
  • –Belgium: in 2022, the litigation chamber of the Belgian DPA (APD) broke its record by issuing no less than 178 decisions, among which only twelve resulted in the imposition of administrative fines. The year 2022 also marked the appearance of a new practice within the litigation chamber: the transaction;
  • –China: breach of the PRC Personal Information Protection Law (PIPL), which took effect on 1st November 2021, may result in administrative sanctions under PIPL for both corporate processors in question and the person in charge. For example, on 21 July 2022, a fine of RMB 8.026 billion was imposed on DiDi Global Inc. for excessive processing of personal data involving both passengers and drivers. Fines were also imposed on the Chairman and CEO and the President of DiDi Global Inc.;
  • –Spain: our correspondent offers a selection of the most notable GDPR fines imposed by the national APD (AEPD) and of the most common infringements of GDPR in Spain;
  • –Greece: in 2022, the national DPA (HDPA) examined a number of interesting cases and imposed record administrative fines, demonstrating a rigorous approach to data protection and privacy legislation violations (including a fine of EUR 20.000.000 on Clearview AI due to data protection legislation violations);
  • –Hungary: our correspondent examined 134 decisions from the last three years by the national DPA (NAIH) to identify the most common infringements of GDPR and most significant fines imposed in the country.

The following countries have contributed to this issue: Belgium, China, Greece, Hungary, South Africa, Spain.

Lexing International Newsletter “Lexing Insights” No. 36 “Fines by Data Protection Authorities in 2022″– April 2023