EUR272.5 million of fines have been imposed for a wide range of infringements of EU’s data protection (GDPR) laws. This is the equivalent of about US$332.4m or £245.3m. This is the key metric according to international law firm DLA Piper. According to the firm’s latest General Data Protection Regulation (GDPR) fines and data breach report of EU, the UK, Norway, Iceland and Liechtenstein.
Italy’s has imposed more fines with EUR69.3m (about USD84.5m / GBP62.4m) since the application of GDPR on 25 May 2018. Germany and France came second and third with fines of EUR69.1m and EUR54.4m respectively.
There have been more than 281,000 data breach notifications since the application of GDPR on 25 May 2018. Germany (77,747), The Netherlands (66,527) and UK (30,536) topped the table for the number of data breaches notified to regulators. France and Italy, countries with populations over 67 million and 62 million people respectively, only recorded 5,389 and 3,460 data breach notifications for the same period. The report suggests this illustrated the cultural differences in national approaches to breach notification.
Rising rate of breach notifications
The daily rate of breach notifications in Europe grew for the second year running. There were 331 notifications per day since 28 January 2020. A 19% increase compared to 278 breach notifications per day for the previous year.
Weighting the results against country populations, Denmark and The Netherlands lead with 155.6 and 150 reported breaches per 100,000 people. Ireland is in third place with 127.8 reported breaches per 100,000 people. Greece, Italy and Croatia reported the fewest number of breaches per capita since 28 January 2020.
The highest GDPR fine to date remains the EUR50m (about $61m / £45m) imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent.
Significant climb down by UK’s regulator
The UK Information Commissioner’s Office (ICO) published two notices of intent to impose fines in July 2019 totalling GBP282m (about EUR313m / $382m). However, in a significant climbdown by ICO, the final fines imposed in October 2020 were greatly reduced to £20m. The Austrian authority suffered a setback when its EUR18m fine (GBP16.2m / $22m) was successfully appealed in December 2020.
Not all member states of the European Economic Area made details of breach notification statistics publicly available. Several only provided incomplete statistics or statistics for part of the period covered by the report. As a result, figures were rounded up and in some cases extrapolated to provide best approximations. Similarly, not all GDPR fines are publicly reported and some data covered only part of the period covered by the report.
A degree of leniency
Commenting on the report, Ross McKean, Chair of DLA Piper’s UK Data Protection & Security Group, said, “Fines and breach notifications continue their double digit annual growth. European regulators have shown their willingness to use their enforcement powers. They have also adopted some strict interpretations of GDPR setting the scene for heated legal battles in the years ahead.
“However, we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic. There has been several high profile fines being reduced due to financial hardship. We anticipate the first enforcement actions relating to GDPR’s restrictions of personal data transfers to US and other “third countries.” This is the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”
Ewa Kurowska-Tober, Global Co-Chair of DLA Piper’s Data Protection & Security Group, said “Regulators have been testing the limits of their powers this year. Issuing fines for a wide variety of infringements of Europe’s tough data protection laws. But they certainly haven’t had things all their own way with some successful appeals and large reductions in proposed fines. We expect to see the trend of more appeals and more robust defences of enforcement action continue.”
Enterprise Times: What this means for business?
The Shrems II case refers to the European Court of Justice’s ruling that invalidated the EU-US Privacy Shield and ruled against the standard contractual clauses used by Facebook and other US companies legitimizing third country data transfers. The original complaint was against Facebook Ireland Ltd. Mr Schrems argued his personal data being transferred to the US company Facebook Inc without his consent. In addition, to a jurisdiction with broad surveillance laws which are in conflict with EU privacy laws.
GDPR was designed to protect the privacy of individuals in the EU. However, it has become increasingly apparent that global companies such as Facebook continue to harvest data on individuals. Even when these individuals have no direct relationships with these companies. No GDPR consent means these companies have no right to hold on to that data. It looks like European regulators are gearing up to challenge data breaches and issue more notices going forward. It will be interesting, if they shift their attentions to the west, and start taking on the US conglomerates. Particularly since the shield (EU_US Privacy Shield) is now down.