The 5 most remarkable privacy moments of the last year | Privacy | Deloitte Netherlands


The 5 most remarkable privacy moments of the last year

Let’s celebrate the GDPR’s first birthday!

This week we celebrate the GDPR’s first birthday! It is nearly impossible to have missed the day that the GDPR came into effect. Not only Europe, but the whole world was hysterical about the 25th of May 2018. With a major impact on the personal data processing activities of many organizations, the enforcement of the GDPR resulted in an interesting year for privacy worldwide. Therefore, we thought today would be a good day to reflect on the five most remarkable privacy moments of the last year.

By Iris Bosma | May 24, 2019

Exploding inboxes

The month in which the GDPR came into effect will probably be remembered as the month in which everyone’s inbox exploded due to the large amount of ‘consent renewal’ and ‘privacy policy update’ emails. All sorts of organizations reached out to their complete contact list with emails asking their customers to 'refresh' their consent for direct marketing campaigns or to inform them about the organization’s new privacy policies. This was an interesting start of the year, since - according to the English Data Protection Authority (DPA) - an email asking users to reconfirm their marketing preferences is by its very nature a marketing message. Sending newsletters to individuals by email is forbidden unless an organization has obtained their prior consent, but an exception exists for organizations sending direct marketing messages to existing clients. This soft opt-in exemption derives from the ePrivacy Directive, not from the GDPR itself. The exploding inboxes a year ago taught us that many companies took actions based on a misunderstanding of the GDPR and maybe even copied the behavior of other organizations based on fear and stress.

The most expensive hack

In the last year Uber received fines from the Netherlands, France, the UK and the United states for a single security hack that took place in 2016. During the hack, which was not reported by Uber, unauthorized persons acquired access to the personal data of 57 million Uber-users, customers and drivers, worldwide. The English DPA imposed a fine of £385.000 for Uber’s failure to protect customers’ personal information during the cyber-attack. In addition, the Dutch DPA imposed a fine of €600.000 and the French DPA followed suit with a fine of €400.000 for not reporting the hack to the any authorities. The abovementioned European fines may be considered low in comparison to the 148 million dollar settlement between Uber and the District of Columbia in the United States for this hack.

Cambridge Analytica raid by the English DPA

On a Friday night at the end of March last year, eighteen enforcement officers of the English Data Protection Authority entered the Cambridge Analytica headquarters in London. The controversial political consulting company allegedly misused the personal information of over 50 million Facebook users for tailor-made political campaigns that supported Donald Trump and Brexit. By raiding the company’s headquarters, the English DPA played a central role in the investigation of Cambridge Analytica’s use of personal data collected from Facebook.

The first serious European fine

On the 21st of January 2019 the French DPA imposed a financial penalty of 50 million euros on Google in accordance with the GDPR for a lack of transparency, inadequate information and a lack of valid consent regarding personalized advertisement. According to the French DPA, users are not able to fully understand the extent of the processing operations carried out by Google. Although this 50 million euro fine imposed on Google is the biggest fine imposed within the European Union for the violation of privacy legislation so far, the amount is extremely small compared to the maximum allowed by the GDPR for this type of offense by Google. The GDPR allows a maximum of four percent of Google’s annual turnover, which would easily run into billions (simple calculation: $136,22 billion * 0,04 = max $5,45 billion).

Mark vs the Senate

Besides remembering 2018 as the year in which the GDPR came into effect, last year will probably also be remembered as the year in which Mark Zuckerberg was questioned for almost ten hours by senators and representatives for the company’s privacy policies and its role in the Cambridge Analytica scandal. The world was closely watching and - although everyone expected Mark to get questioned roughly on Facebook’s responsibility – most senators’ understanding of the possibilities of present-day technology did not meet the public’s expectations. Interestingly, Facebook recently revealed its quarterly figures, which showed that the company set aside $3 billion for an expected fine from the Federal Trade Commission over privacy violations. A fine this high would undoubtedly have an enormous impact – even on a company the size of Facebook. Even more interesting is that it looks like one of the biggest data companies in the world is in a process of changing its overall strategy due to the changing public opinion on privacy.

All together it has been an amazing year for privacy all over the world. At Deloitte we are constantly conducting research towards the GDPR and privacy in general to stay up-to-date in this everchanging field. If you want to read more about our blogs and research, please visit Deloitte’s privacy page, or sign up for our privacy e-mail alert.

Privacy email alert

Receive the latest Privacy insights.


More information

Feel free to contact Annika Sponselee or Nicole Vreeman via their contact details below.

Did you find this useful?