Newly-published research from international law firm DLA Piper has revealed that more than EUR185.5 million of GDPR-related fines have been imposed by European regulators since 28 January 2020 – representing a 39% increase on the total fines levied during the previous 20-month period since GDPR’s introduction.
In total, more than EUR272.5 million (about USD332.4 million / GBP245.3 million) of fines have been imposed for a wide range of infringements, according to the law firm’s latest annual General Data Protection Regulation (GDPR) fines and data breach report of the 27 European Union Member States plus the UK, Norway, Iceland and Liechtenstein.
Italy’s regulator tops the rankings for aggregate fines having imposed more than EUR69.3 million (about USD84.5 million / GBP62.4 million) since the application of GDPR on 25 May 2018. Germany and France came second and third with aggregate fines of EUR69.1 million and EUR54.4 million respectively.
Commenting on the report, Ross McKean, Chair of DLA Piper’s UK Data Protection & Security Group, said: “Fines and breach notifications continue their double-digit annual growth and European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead.
“However, we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high profile fines being reduced due to financial hardship. During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other ‘third countries’ as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”
Breach battles
The aggregate daily rate of breach notifications in Europe experienced double-digit growth for the second year running with 331 notifications per day since 28 January 2020, an 19% increase compared to 278 breach notifications per day for the previous year. There have been more than 281,000 data breach notifications since the application of GDPR on 25 May 2018 with Germany (77,747), The Netherlands (66,527) and the UK (30,536) topping the table for the number of data breaches notified to regulators.
The highest GDPR fine to date remains the EUR50 million (aboutUSD61 million / GBP45 million) imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent.
Following two high profile data breaches, the UK Information Commissioner’s Office (ICO) published two notices of intent to impose fines in July 2019 totalling GBP282 million (about EUR313 million / USD382 million). However in a significant climbdown by the UK regulator, the final fines imposed in October 2020 were greatly reduced to GBP20 million (about EUR22.2 million / USD 27.1 million) and GBP18.4 million (about EUR20.4 million / USD25 million).
Ewa Kurowska-Tober, Global Co-Chair of DLA Piper’s Data Protection & Security Group, said: “Regulators have been testing the limits of their powers this year issuing fines for a wide variety of infringements of Europe’s tough data protection laws. But they certainly haven’t had things all their own way with some notable successful appeals and large reductions in proposed fines. Given the large sums involved and the risk of follow-on claims for compensation we expect to see the trend of more appeals and more robust defences of enforcement action continue.”
While the DLA Piper research data is as comprehensive as possible, the law firm points out that not all Member States of the European Economic Area make details of breach notification and fine statistics publicly available, leading them to round-up and, in some cases, extrapolate the available data to provide best approximations.