At least 65 private individuals from the European Union have been fined for GDPR privacy violations since 2018. Fine amounts usually ranged from €100 to €6,000.
Contrary to what most of the public believes, the European General Data Protection Regulation (GDPR) also applies to private individuals and not just big multinational tech corporations.
Since 2018, when this EU-wide law entered into force, at least 65 private individuals have been fined for various GDPR-related privacy violations.
The overwhelming majority of GDPR fines received by private individuals relate to the improper usage of CCTV security surveillance cameras installed on the premises of private residences.
According to the GDPR, such security surveillance systems must not cover areas outside the residence’s premises, such as public roads, sidewalks, or a neighbor’s property.
For example, on 22 September 2022, a Spanish citizen was fined €3,000 by Spanish Data Protection Authority (AEPD) for installing several video surveillance cameras covering the public space.
On 13 September 2022, another Spanish citizen received a fine of €2,000 for the same reason.
National data protection authorities argue that by installing video surveillance systems that cover any public area, the installer of such a system becomes a “data controller” according to the GDPR.
Based on this, it is illegal to film any individual without their express consent.
Another reason multiple individuals received GDPR fines was for posting other people’s images on social media platforms without their consent.
For example, on 1 July 2021, a Spanish citizen was fined €6,000 for posting a video on social media that depicted a man aggressing a woman, with a younger male minor intervening and trying to stop the first man from abusing the woman.
However, the faces of both the woman and the minor were not pixelated, and consent for posting the video was not obtained, and as such, the Spanish Data Protection Authority (AEPD) determined that the video’s poster violated GDPR.
Taking pictures of random people could also get someone in trouble in the EU. A Spanish photographer discovered this after receiving a fine of €800 for taking pictures of people on a public beach.
Dashcam videos posted on social media by a German YouTuber ended up in a fine of €200. According to the Data Protection Authority of Nordrhein-Westfalen, posting dashcam footage online “has an insufficient legal basis”.
Private individuals can also be fined if they send emails to multiple recipients while the email addresses of all receipts are mutually visible to all.
This was the case of a German citizen who, on 2 May 2019, received a fine of €2,500 for sending several emails containing the email addresses of several subjects, where each subject could see the other recipients’ email addresses.
Impersonating someone on social media could also get someone in trouble, according to the GDPR.
In Ireland, a private individual impersonated a third party on Tinder and WhatsApp by using the third party’s photos as profile pictures. The individual in question was fined €1,200.
Since 2018, various national data protection authorities have issued approximately 1,200 individual GDPR fines. From these, at least 65 are known fines issued to private individuals.
Source: Privacy Affairs GDPR Fines Tracker
While only someone of the biggest fines – such as the €746,000,000 fine Amazon received in Ireland – make big media headlines, EU residents should remember that they, too, can be at the receiving end of these fines.
Likewise, it’s important to remember that GDPR violations don’t just occur in the context of data breaches and internet technology.
As the examples above have shown, it’s possible to be in breach of GDPR by posting unauthorized images on social media or improperly installing a CCTV surveillance system.
We believe security online security matters and its our mission to make it a safer place.