Privacy Wrapped for 2022

Forget Spotify’s Wrapped playlist, here’s what happened in the world of privacy over the past year. If you don’t think privacy matters (or even if you do) prepare to be enlightened

By Emma Sheppard


December 2022


Kicking off the year with a bang, Lisbon council was fined €1.25m by the Portuguese regulator after sharing hundreds of demonstrators’ personal data with the embassies of several countries, including Russia, Cuba and Israel. The revelation caused significant controversy when it came to light in 2020 and was believed to have been a contributing factor to Mayor Medina’s defeat in the subsequent elections. Staying in Europe, January also saw the European Data Protection Supervisor (EDPS) order Europol to delete its vast store of personal information that it has collected and stored unlawfully. And the French regulator CNIL fined Google and Facebook millions of Euros because it ruled users couldn’t refuse cookies as easily as accept them.


In February, the marketing model of numerous businesses was thrown into doubt by the news that the Internet Advertising Bureau (IAB Europe) had been acting unlawfully under the GDPR. The trade body for the online advertising industry was fined €250,000, plus an additional €5,000 a day if it did not amend its practices within six months. IAB Europe would later appeal the decision made by the Belgian Data Protection Authority (APD) and the Belgian appeal court has referred certain questions to the European Court of Justice, so adding further to the delay in getting a final decision. 


Just as spring was getting started, the UK High Court ruled against the Home Office over its policy to extract data from mobile phones seized from asylum seekers arriving on small boats. An investigation into Project Sunshine, as it was known, found that immigration officers lied to migrants by claiming they could be prosecuted for not handing over their mobile passwords, when there was no such offence. Staying with mobile phones, March also saw the publication of a Trinity College Dublin study, which revealed pre-installed apps on Android phones were collecting huge amounts of data for Google with no opt out for users. 


Easter bunnies were happily foraging for chocolate eggs when it was announced that the Information Commissioner’s Office (ICO) was fining Reed Online Ltd £40,000 for sending more than 6 million marketing emails to people without consent. Reed had explained the emails were sent because of human error. They weren’t the only ones to fall foul of the regulations – Royal Mail and Halfords were also fined this year for similar activity. The Irish regulator was busy, fining the Bank of Ireland €463,000 for 22 personal data breaches that affected more than 50,000 customers. And this was the month that it was revealed Facebook doesn’t know what it does with user data, or where it goes, according to a leaked internal memo written by its privacy engineers. 


It’s fair to say Clearview AI hasn’t had a great year. Its troubles certainly didn’t start in May but this was the month the ICO handed it a £7.5m fine for holding images of UK residents in its database, ordered the company to delete them, and not to collect anymore in the future. The UK was the third  country to take action against the firm, following Italy and Australia. Greece became the fourth in July and France the fifth in October. May was also the month that Google was in the High Court to defend its use of the confidential medical records of 1.6 million Brits without their knowledge. And Swedish fintech Klarna was fined €724,000 for having an inadequate privacy notice on its website.  


Half-way through the year, a US healthcare company announced it had suffered a massive online data breach that exposed the medical records of almost 70,000 customers, after an unauthorised individual gained access to an employee’s email account. Back in the UK, the police were in hot water after the ICO warned them to stop the mass collection of personal information from rape victims. John Edwards, the information commissioner said at the time: “Police or prosecutors are just not exercising the thoughtfulness and discipline we would expect and they’re going off on these quite wide fishing expeditions.” 


As the weather warmed up, OpenSea, the world’s biggest marketplace for non-fungible tokens (NFTs), warned users to be on the alert for phishing attacks after it experienced a massive data leak. Its entire email database had been passed to an unauthorised external party by an employee at a firm OpenSea used to send automated emails. OpenSea had more than 600,000 users at the time, all of whom were told to presume they had been impacted. In other news, the privacy campaign group Big Brother Watch mounted a legal challenge against Southern Co-op for its use of a live facial recognition system in its stores. The technology is also used in shops such as Costcutter, Spar and Sports Direct. 


While many Brits flew abroad for their first international holiday in two years, a major IT provider for the NHS was hit by a ransomware attack that would take weeks to solve. The incident at Advanced affected the system used to dispatch ambulances, book out-of-hours appointments and issue emergency prescriptions. Call handlers for the NHS 111 service had to resort to using pen and paper in the meantime. In France, the regulator fined the hotel group Accor €600,000 for sending unauthorised marketing communications. And the beauty retailer Sephora was hit with a bill of $1.2million for CCPA breaches in California. 

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now


Back to school, and children are on the regulators’ minds. In September, the ICO issued a notice of intention to fine TikTok £27 million because it may have failed to protect children’s privacy while using the platform. The investigation found TikTok may have processed the data of children under the age of 13 without parental consent, failed to provide information to its users in a concise, transparent and easily understood way, and processed special category data without the legal grounds to do so. But TikTok wasn’t the only social media platform to be reprimanded – Meta was fined €405m by the Irish data protection authority over Instagram’s public-by-default setting for personal accounts of children. 


A 2016 data breach came back to bite Joe Sullivan, Uber’s former chief of security, in October, when he was found guilty of hiding the hack from the authorities and obstructing a Federal Trade Commission (FTC) investigation. The breach affected the Uber accounts of more than 57 million riders and drivers and Sullivan could now face up to eight years in prison for the part he played. Some commentators are concerned it could suggest a shift to  regulators putting personal liability on business executives for security breaches – in another example, the FTC imposed sanctions against a CEO for data privacy abuses. He’ll have to continue to comply with them, even if he leads other companies in the future.  

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit


As the World Cup kicked off in Qatar, France’s data protection agency was suggesting western travellers take burner phones to download the apps required to enter the stadium. Ehteraz, the country’s Covid-19 tracker app, for example, allows remote access to users’ pictures and videos and can make unprompted calls. Meanwhile, the personal data of hundreds of Australians was posted online after it was stolen from the country’s largest health insurer, Medibank. It came after Optus, Australia’s second-largest telecoms provider, earmarked $140m to cover the cost of its data breach from September, which affected 10 million customers. That’s around 40% of the Australian population. These breaches led to new legislation being passed which increased the maximum fine for a data breach to a whopping A$50m. And in the US, a flurry of resignations at Twitter, including several top executives from the privacy and security team, prompted a warning from the Federal Trade Commission


With the end of the year in sight, Meta is expecting record EU privacy fines for all three of its social networks – Facebook, WhatsApp and Instagram. It’s expected the bill could add up to over €2 billion, setting a new record for the highest fines under the GDPR received by one company in one go. The decisions stem from complaints that the company does not have a proper legal basis to process millions of Europeans’ data. Apple is in hot water too. It’s being sued in California by two women who were victims of AirTag stalking. It is alleged Apple released the devices against the advice of experts who warned about security concerns, and subsequently downplayed the risks.

More to watch and read