The largest GDPR fine – €1.3 billion – was imposed on Meta Platforms, the parent company of Facebook, for transferring EU citizens’ data to the US without adequate safeguards.

“International data transfers are one of the most complex and strictly regulated areas of GDPR. This case offers valuable lessons for European businesses to review their processes, ensure their legality, and implement sufficient safeguards,” Paal emphasised.

The data protection expert advised businesses to regularly audit their international data flows, utilise encryption or advanced protection protocols if necessary, and comply with the latest European Court of Justice rulings.

TikTok also received a significant fine of €345 million for unlawfully processing the data of younger users.

“This highlights the need to adhere to stricter standards when processing children’s data, including transparent communication and obtaining parental consent where required,” Paal noted.

LinkedIn ranked third, fined €310 million for misusing user data for behavioural analysis and targeted advertising.

Paal also highlighted the importance of court rulings shaping the future of data protection practices.

Google analytics and data transfers to third countries

A European Court of Justice ruling addressed the use of Google Analytics and the transfer of personal data to third countries, particularly the US, where data protection measures do not match EU standards. Such transfers violate GDPR if adequate safeguards, such as standard contractual clauses or encryption, are absent.

“This decision significantly affects European companies operating internationally or using tools like Google Analytics. I recommend consulting a data protection expert, critically reviewing existing processes, and, where possible, opting for European servers or alternative analytics tools,” said Paal.

Employee monitoring in the workplace

The European Court provided clear guidelines on employee monitoring, emphasising that such practices must be justified, transparent, and compliant with GDPR.

“The ruling highlighted the obligation to notify employees and ensure that monitoring measures are proportionate to their purpose. Privacy must be respected,” commented Paal.

The decision clarified the limits of permissible monitoring in sectors like logistics, manufacturing, and services, where tools such as cameras or GPS devices are used.

“Companies must ensure their internal policies and practices are transparent and compliant with regulations,” Paal added.

Banning manipulative user interfaces

The European Court banned manipulative user interface designs that trick users into making decisions against their will, such as hiding the “decline” button or making it less visible. For example, the “accept all” button must be as prominent as the “decline” button, and consent must be freely and knowingly given.

Paal noted that this ruling will significantly impact user experience design, setting higher standards for transparency and fairness.

“Companies will need to review their web interfaces to ensure they do not manipulate users, increasing transparency and influencing user experience design,” she explained.

Reflecting on the past year, Paal concluded that data protection is a rapidly evolving field where prevention of violations is key. “To prevent breaches and avoid fines, it is essential to conduct regular data protection audits, train employees, and implement technical and organisational measures,” advised the data protection expert.

Developed in collaboration with IT experts, the GDPR Register simplifies and streamlines compliance with GDPR requirements, helping companies and institutions efficiently manage processes, actions, and documents associated with GDPR regulations.