Perspective is important.
I recently stumbled across a headline proclaiming that “Avengers: Endgame” had crossed $2.9 billion at the box office and surpassed “Avatar” to become the BIGGEST MOVIE OF ALL TIME. Except, that isn’t quite true; when you account for ticket prices, “Endgame” is ranked #5, still trailing “Avatar” and well behind “Gone With the Wind.”
In other words, the box office performance of “Endgame” is impressive and its unadjusted gross makes for a nice headline, but there’s more to the story, and the dollar amount needs to be put into perspective. Similarly, recent GDPR fines have made big headlines, but they might be less impactful than you think.
Google’s GDPR fine: A parking ticket
In January, France’s CNIL regulatory body fined Google $57 million for violating GDPR by pre-checking authorization agreements and failing to obtain proper consent for targeted advertising.
At the time, the fine made worldwide headlines and served as the first major enforcement of GDPR. But in reality, $57 million is barely a blip relative to Google’s 2018 revenue.
In 2018, Google’s parent company, Alphabet, took in more than $136 billion. That’s a little more than $372 million per day. In other words, a $57 million fine equals 15% of Alphabet’s 2018 revenue for a single day, or .04% of its annual revenue.
British Airways’ GDPR fine: A car payment
On July 8, the UK’s Information Commissioner’s Office (ICO) announced a $230 million GDPR fine stemming from British Airway’s 2018 data breach. The incident exposed the information of 500,000 customers and resulted from poor cybersecurity practices that violated GDPR requirements.
British Airways is a subsidiary of International Airways Group (IAG) along with several other carriers such as Vueling and Iberia. IAG’s 2018 revenue was just over $24 billion which makes $230 million—a little less than 1% of IAG’s annual 2018 revenue.
Marriott’s GDPR fine: A used iPhone
Also in July, the ICO announced another major GDPR fine, this time against Marriott International in the amount of $124 million. The breach compromised the data of 500 million customers including highly sensitive information such as passport numbers.
When Marriott acquired Starwood Hotels in 2016, it unknowingly obtained an advanced persistent threat (APT) that cybercriminals had installed in Starwood’s booking system years prior. Following the Starwood merger, hackers activated the APT and began exfiltrating data from Marriott’s database. Failure to conduct proper due diligence regarding cybersecurity during a merger is a violation of the GDPR.
In 2018, Marriott International generated about $20 billion in revenue. That means that $124 million is approximately 0.6% of the hotel giant’s revenue.
GDPR is just getting started—Facebook might be next
Don’t get me wrong: GDPR is hugely influential and has changed the entire dialogue around data privacy. And to be fair, GDPR fines are limited to 4% of global turnover (i.e., revenue).
Perhaps these fines are merely warning shots of more and stronger enforcement to come. EU regulators are currently investigating countless GDPR complaints, including Ireland’s Data Protection Commission (DPC) which is nearing completion of 11 separate Facebook investigations, any one of which could result in a fine of billions.
If a GDPR fine were levied against Facebook at 4% of their $55.8 billion 2018 revenue, the amount would be $2.23 billion. And while that’s still less than half of Facebook’s $5 billion FTC fine, the penalties would begin to add up.
Ireland is key to GDPR enforcement considering the country’s role in hosting the European operations of some tech’s biggest names. However, Ireland has been accused of being too cozy with tech companies and impeding regulatory enforcement. If Ireland’s DPC begins handing out fines, GDPR’s weight will increase rapidly and privacy violators might suddenly start taking compliance much more seriously.
Obviously, GDPR fines are not occurring in a vacuum and every violation is different. By looking at the relative impact of regulatory action, we can gauge how willing companies might be to change behavior going forward, or whether they’ll see GDPR fines simply as a cost of doing business.