Skip to content
Saturday 18 July 2026EN · DE
City PM

European business, markets and politics

  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
  • DE
Monday 19 December 2016 7:00 am

Yahoo would be liable to pay a $198m fine were GDPR already enforced

By: Elliott Haworth

Add as a preferred source on Google

At the dawn of the internet, Google and Yahoo were in stiff competition for search dominance.

Many think the former’s success was due in part to its name becoming a ubiquitous verb for searching online. But decades on, semantic development has finally caught up with Yahoo. Its name is now synonymous with bad data practice.

In both 2013 and 2014, the company was responsible for the biggest data breach in history, affecting 1bn and 500m accounts respectively. It faces class action lawsuits from disgruntled users over its failure to notify them of a cybersecurity breach. As context, a similar case involving retailer Target was settled for $39m last year.

But class action lawsuits will be the least of businesses’ worries once the EU’s General Data Protection Regulations (GDPR) are enforced in a little over 18 months. Under the new regulations there are myriad reasons a fine could be imposed, three of which Yahoo has violated. If an EU citizen’s data is breached; if it transpires that the systems in place were not GDPR compliant; or if the business fails to notify users within 72 hours, it can be fined 4 per cent of its global group revenue or €20m, whichever is greater.

There’s no scope for retroactive prosecution under GDPR, so Yahoo is off the hook regarding these breaches. But analysing the consequences hypothetically, as if it was already enforced, is an interesting way to understand just how far reaching GDPR is.

Yahoo Reportedly Considering Laying Off Hundreds
You can't run away from a data breach! (Source: Getty)

Yahoo’s 2015 revenue was $4.9bn, meaning that the hypothetical 4 per cent fine would be $198m per breach. Not company-killing money for a behemoth, but certainly impactful. Pricing in such heavy fines and lawsuits to results would knock profit margins off course, likely spooking investors, and resulting in further losses. The reputational damage could take years to rectify, if at all.

Yahoo said it discovered the first breach in July. It didn’t notify Verizon, which is in the process of acquisition, until September. In the US, there are notification laws – currently 47 states have them. But the thresholds are typically based on harm caused to consumers, which may be difficult to prove in this incident. Under GDPR a business has 72 hours to report a breach to those affected, otherwise, again, it will face a penalty.

Quite how the fines will be enforced is presently unclear, according to Paul Glass, partner in the data protection team at Taylor Wessing. “Regulators aren’t engaged with how they would price a fine like this, or what the process would be”, he says. “But if I was to speculate, there would be a draft penalty notice, which goes to Yahoo, with an indication of the level of fine – something like the early settlement regime similar to the FCA. I think that there would probably be some sort of room for negotiations.”

To agree an early settlement could work in favour of a business looking to quickly rectify and protect its reputation the best it can. Sitting on a breach like Yahoo did certainly makes you look suspicious.

Verizon is in the process of acquiring Yahoo for $4.83bn, but is exploring options to either cancel or renegotiate the price following further details of the breach. Verizon said it will "review the impact of this new development before reaching any final decision". But had the acquisition been finalised, would it be responsible for Yahoo’s breach? Under GDPR the so-called data controller is liable, “which would be Yahoo,” says Glass. “Post acquisition it would continue to be, unless it changes how it manages data.”

But like Myspace before it, Yahoo is being purchased, in part, for its plethora of user data, as well as its stake in Alibaba and Yahoo Japan. It’s likely that if Verizon sees the acquisition through, it will become the data controller, and therefore liable in the future. In this hypothetical model, had the breach been under Verizon, based on revenues of $131.6bn last year, a 4 per cent fine would make it liable for $5.2bn.

While hypothetical, it paints a picture of things to come. If a multinational that deals with consumer data as a core function of its business can’t get on top of its security and compliance, what hope do smaller businesses have?

The Yahoo breach should be a wake up call to businesses of all scopes and sizes. Research out yesterday from Veritas surveyed over 2,500 senior technology decision makers across the globe, and found that more than half of organisations have failed to begin any kind of preparation to meet even the minimum standards of GDPR.

Businesses should be adhering to GDPR as best practice. There is no excuse for poor data management – you can’t just blame Russia and hope it all blows over. GDPR is just 18 months away, and unpreparedness, while not on a Yahoo scale for most, could cost your business dearly. The fines are heavy, but the long lasting reputational damage could be a killer. Don’t “Yahoo it”.

Share this article

  • Facebook
  • X
  • LinkedIn
  • WhatsApp
  • Email

Similarly tagged content:

Sections

  • News

Categories

  • Business
  • Tech

Trending Articles

  • Revealed: KPMG and Deloitte offer bumper redundancy packages to slash headcount

  • Motsepe backed to succeed Fifa’s Infantino by South African minister

  • Brewdog owner shrugs off James Watt takeover bid

  • Finsbury lines up Games Workshop splurge using merger windfall

  • Citroën 2CV returns as a £13,000 electric car, and the timing is no accident

More from City PM

  • The Yahoo Boys: The men behind online romance scams

    Life&Style
    Group of young men using laptops and smartphones in a dimly lit room, representing online scam activities in Nigeria
  • ‘The problems didn’t begin with John Edwards’: Pressure grows for wider data watchdog overhaul

    Tech
    Offi
  • Over Half of Consumers Will Pay More for Brands That Are Transparent About AI Data Use, New Usercentrics Research Finds

    Business Wire
  • Social media ban may push children to ‘darker corners of the internet,’ lawyers warn

    Legal
    Australia's policy, which came into force in December and bars children under 16 from major platforms including Tiktok, Instagram, Snapchat and X.
  • Has Fifa quietly made mandatory release clauses the future of football transfers?

    Sport Business
    Getty Images logo on a digital screen, representing media and stock photography in a business and news context.
  • Fifa accused of bullying in attempt to kill off multi-billion class action claim

    Sport Business
    Getty Images news-related image depicting a significant event or person, suitable for general news and business contexts.
  • Fifpro accused of leaving footballers ‘in the cold’ by doing deal with Fifa

    Sport Business
    Business professionals in a conference room discussing strategies, with a presentation screen displaying key business metr...
  • Government warned ‘unworkable’ new healthy food rules will backfire

    Retail
    Delicious gourmet dish with vibrant vegetables and succulent meat, showcasing modern culinary presentation for food enthus...

City PM — European politics, business and analysis.

Europe

  • Germany
  • France
  • Europe
  • UK & Ireland

Topics

  • Business
  • Markets
  • AI
  • Technology
  • Opinion
  • Energy

More

  • Politics
  • Economics
  • Fintech
  • Legal
  • Sport
  • Life

Company

  • About City PM
  • Editorial Policy
  • Corrections
  • Contact
  • Terms of Use
  • Privacy Policy
  • Cookie Policy
© 2026 City PM · Published by CityPM Media, Bahnhofstrasse 65, 8001 Zürich, Switzerland
About · Editorial Policy · Corrections · Contact · Privacy · Facebook