Home / Publications / GDPR Enforcement Tracker Report / Media, Telecoms and Broadcasting

Media, Telecoms & Broadcasting

Companies in the Media, Telecoms and Broadcasting sector face data protection authorities' vigorous scrutiny yet again. As of today, fines in this sector amount to EUR 596 million, based on 177 fines across 18 jurisdictions (+ 476 million and + 70 fines in comparison to the 2021 ETR). Considering the aggregated fine amount of about EUR 1.6 billion across all sectors, the Media, Telecoms and Broadcasting sector contributes more than one third of all fines. It also features four fines in the overall top five fines, all of which were levied against internet giants at the end of 2021: The Irish Data Protection Commission levied the second largest fine (EUR 225 million) against WhatsApp for violation of the data transparency principle; the French CNIL levied the third (EUR 90 million against Google LLC), fourth (EUR 60 million against Facebook Ireland) and fifth (EUR 60 million against Google Ireland) largest fines for unlawful cookie practices.

But let's take a closer look

  • The Irish Data Protection Commission (DPC) levied a fine of EUR 225 million against WhatsApp Ireland Ltd (ETid-820). This is the second largest fine ever levied for a data protection violation. In particular, WhatsApp violated their transparency obligations towards customers (Article 12, 13 and 14 GDPR), as they failed to provide users information on the data processing operations such as the data sharing with Facebook in an intelligible and easily accessible manner, including towards children. In addition, the fine is based on WhatsApp's unlawful practice of crawling users' contacts stored on their phones, which is not limited to active WhatsApp users, but also extends to contacts who do not even have a WhatsApp account. Notably from a procedural point of view, the European Data Protection Supervisor (EDPB) required the DPC to increase the fine on the basis of the violation of Article 5 (1) a) GDPR (transparency principle), in addition to the violation of Article 12-14 GDPR.
  • The French CNIL issued fines against Google LLC for the amount of EUR 90 million (ETid-978), against Google Ireland Ltd. for the amount of EUR 60 million (ETid-979) and against Facebook Ireland for the amount of EUR 60 million (ETid-980). All three fines relate to the companies' unlawful use of cookies on Google, YouTube and Facebook. While the companies offered clear buttons to accept cookies, there was no equivalently easy option to reject cookies. The companies therefore violated Article 82 of the French Law on Informatics and Freedoms. For the fine amount, the CNIL considered that Google and Facebook were able to gain significant advertising revenues through the cookies.
  • Remarkably, only two recent and significant fines relate to insufficient technical and organisational measures: the Hellenic DPA issued fines based on a violation of Article 32 GDPR against Cosmote Mobile Telecommunications S.A. for the amount of EUR 6 million (ETid-1024) and for the amount of EUR 3.2 million against OTE Group (ETid-1025). In the case against Cosmote, a hacker attacked the company's systems and obtained customers' sensitive data, which were subsequently leaked. Nearly 10 million data subjects were affected by the incident. Above all, the DPA pointed out that Cosmote did not implement stringent data anonymisation standards. In the case against OTE Group, a Cosmote subsidiary, the DPA found that OTE contributed to Cosmote's insufficient security infrastructure which ultimately led to the above incident.

Main takeaway

The most common reasoning for fines in the Media, Telecoms and Broadcasting sector remain insufficient legal bases for data processing operations. All data processing operations must rely on a sufficient legal basis according to Article 6 GDPR. In particular, the French CNIL has prominently fined Google and Facebook for their unlawful cookie consent systems. The cases are a precedent for all website operators and demonstrate that cookie consent management systems must be reassessed. Such consent systems must facilitate an easy choice for users, including the rejection of cookies. The significant fine against WhatsApp also illustrates the importance of compliance with the transparency principle. Companies must provide an easily accessible and intelligible privacy policy for all relevant data processing operations, including for the data sharing with group companies. In doing so, the transparency principle can be utilised to foster customers' and users' trust.