European Union (EU) regulators have imposed General Data Protection Regulation (GDPR) fines of €272.5m (£242.6m/$330.5m) to date, €158.5m of them since 28 January 2020, in a sign that regulators are getting tougher on data privacy infringements as the regulation heads towards its third anniversary in May 2021.
That is according to new data compiled for a report by law firm DLA Piper, which found 121,165 breaches were notified in the same period, up 19% on the previous year.
Since GDPR’s inception, there have been over 281,000 breach notifications, including 77,747 in Germany, 66,527 in the Netherlands and 30,536 in the UK. The lowest total volumes of reports were found in France and Italy, which recorded 5,389 and 3,460 breaches, respectively.
However, Italy has imposed the highest aggregate fines of €69.3m, and France has imposed the highest individual penalty to date – a €50m fine against Google in 2019 for alleged infringements of the transparency principles and failure to obtain valid consent.
“Fines and breach notifications continue their double-digit annual growth and European regulators have shown their willingness to use their enforcement powers,” said Ross McKean, chair of DLA Piper’s UK Data Protection and Security Group. “They have also adopted some extremely strict interpretations of GDPR, setting the scene for heated legal battles in the years ahead.”
This said, it is notable that regulators have not had everything their own way this year, as evidenced in particular by the vast reductions in the fines imposed on airline British Airways and hotel chain Marriott International, both of which were slashed in the light of both organisations’ willingness to improve their cyber security postures, and the impact of the Covid-19 pandemic.
Similar reversals have occurred in other countries as well, notably in Austria, where a proposed fine of €18m against Österreichische Post was overturned on appeal in December 2020.
Ewa Kurowska-Tober, global co-chair of DLA Piper’s Data Protection and Security Group, said: “Regulators have been testing the limits of their powers this year, issuing fines for a wide variety of infringements of Europe’s tough data protection laws. But they certainly haven’t had things all their own way, with some notable successful appeals and large reductions in proposed fines. Given the large sums involved and the risk of follow-on claims for compensation, we expect to see the trend of more appeals and more robust defences of enforcement action continue.”
McKean added: “We have also seen regulators show a degree of leniency this year in response to the ongoing pandemic, with several high-profile fines being reduced due to financial hardship.
“During the coming year, we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other ‘third countries’ as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”
It is important to note that DLA Piper’s data is not necessarily a complete picture of the situation regarding GDPR enforcement – not all member states within the European Economic Area make details of breach notification statistics publicly available, and several others provide either incomplete statistics, or numbers covering only part of the period.