Getting caught in the cookie jar is getting more expensive in Hungary
The GDPR went into effect five years ago – in May 2018. Since then, 67 fines for GDPR-related violations have been issued in Hungary. Here’s what businesses in the country should keep in mind.
Meta made headlines a few weeks ago as Ireland’s Data Protection Commission issued a fine to the company in the amount of €1.2 billion for GDPR violations – so far, the record amount in GDPR-related cases. Fun fact: the smallest fine for a GDPR violation across the EU was issued in Hungary in the amount of €28, according to a data privacy and cybersecurity tracker.
Just a couple of weeks before the decision on Meta, the French regulator issued a €5.2 million fine to Clearview AI on top of the €20 million fine issued earlier for breaching a number of requirements set out by the GDPR.
Currently, Spain and Italy are leading the EU in the number of finalized cases related to data privacy violations. However, Hungary is catching up, at the moment occupying 5th place
In fact, not long ago, the Hungarian data protection agency – the National Authority for Data Protection and Freedom of Information (NAIH) – issued its first fine for improper cookie management. In its published decision NAIH-3195/2022, which can be downloaded on NAIH’s website, the NAIH imposed a fine of HUF10 million (∼€27,000) on TV2 Média Csoport Zrt.
The TL;DR version of the 19-page document: TV2 Média Csoport Zrt failed to properly communicate its cookie management policy to users, it used terms like “legitimate interest” in a misleading manner, its data controller failed to properly communicate and interpret the legal basis of the consent, and it failed to be sufficiently transparent on the data management practices with and by the company’s 754 partners.
In its explanation of the fine amount, among other justifications, the authority specified that the lack of published decisions on a similar topic on the NAIH’s website was used as a mitigating factor.
A sign of more cookie consent management fines to come
So why should Hungarian businesses pay attention to this decision?
Well, besides the obvious fact that full compliance with the GDPR is mandatory, it seems that the message of the NAIH is clear: it’s just the beginning.
Now that the first decision in a cookie consent management investigation has been published, the lack of publicly available precedence can no longer be claimed as a mitigating factor.
On top of that, in its decision, the NAIH states: “The fact that this practice may be widely used by other data controllers does not make it legal.” In other words: “Just because violations of this nature are widespread and companies got away with it so far doesn’t mean it’ll continue this way.”
Third-party solutions: the false sense of security
TV2 Média Csoport Zrt claimed its use of a third-party solution that’s commonly used for cookie management and its compliance with the IAB Europe framework as justifications. The NAIH rejected both arguments, stating that these do not “constitute proof of compliance with the general data protection regulation.”
The GDPR is a complex, detailed set of requirements. Ensuring compliance often requires a comprehensive revision of business operations – something that many find to be too resource-consuming. Third-party solutions, with their “seamless compliance with the GDPR” marketing messages lull businesses into a false sense of security.
GDPR-related fines
What can Hungarian businesses then expect in terms of fines?
The NAIH enforces fines in accordance with Article 83 of the GDPR. Depending on the infringement and the level of severity, the NAIH can impose a fine of up to €20 million, or “in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
So far, the NAIH issued fines in GDPR-related cases in the total amount of €2.3 million. Between the 67 instances, the average fine so far has been €34,535.
Businesses should also keep in mind that in 2021, only eight fines were issued by the NAIH for GDPR-related infringements. In 2022, that number was 18. It appears that the wheels are picking up speed.
Furthermore, the average size of the fine has been exponentially increasing in the last three years. It went from €9,580 in 2021, to €63,224 in 2022, to €115,600 so far in 2023.