European regulators imposed €158m in GDPR fines in the last year

19 Jan 2021

Image: © weerapat1003/Stock.adobe.com

Reported data breaches in Europe rose by almost 20pc in the last year, with Ireland ranked as the third highest country per capita for breaches notified to regulators.

Since the GDPR came into effect in May 2018, European authorities have been testing out their new powers, imposing fines for a wide variety of infringements.

According to a new report from law firm DLA Piper, European data protection regulators have imposed more than €158m in fines since 28 January 2020. This figure is almost a 40pc increase on the previous 20-month period, bringing the total amount to more than €272m in fines since May 2018.

The annual GDPR fines and data breach survey examined the number of data breaches notified by each country as well the value of fines issued. It noted some limitations where details of breach notification statistics were not made publicly available.

According to DLA Piper’s survey, Europe saw an average of 331 breach notifications per day in the last 12 months. This is a 19pc increase on the previous year’s average of 278 notifications per day.

In Ireland, more than 6,600 data breaches were notified to the Data Protection Commission in last 12 months.

This ranks Ireland as the third highest country for reported data breaches on a per capita basis and sixth overall. While Germany had the highest number of reported breaches overall, Denmark took the top spot for highest number of breaches per capita.

However, the total value of fines issued in Ireland was much lower than its European counterparts.

Ireland has issued €715,000 worth of GDPR fines since May 2018, ranking 14th in Europe in terms of highest monetary value. The Irish Data Protection Commission announced its first major Big Tech fine at the end of last year, fining Twitter €450,000 under GDPR for a data breach that was discovered in 2018.

Germany and Italy have both issued a total of more than €69m in fines since May 2018. France ranks third in terms of total value of fines at €54m, but still holds the top spot for the largest single GDPR fine issued.

In January 2019, France’s data protection authority hit Google with a €50m fine for allegedly breaking EU privacy laws. In October 2020, Germany issued the second highest GDPR fine to date, when it fined retailer H&M €35m for storing and exposing data on staff health and religious beliefs.

‘Testing their powers’

Chair of DLA Piper’s UK Data Protection and Security Group, Ross McKean, noted that fines and breach notifications continue to grow in double-digit percentages, with European regulators showing their willingness to use their enforcement powers.

“They have also adopted some extremely strict interpretations of GDPR, setting the scene for heated legal battles in the years ahead,” he said. “During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other ‘third countries’ as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”

John Magee, intellectual property and technology partner at DLA Piper Ireland, added that regulators have been “testing the limits of their powers this year” but noted that things haven’t always gone their way.

One high profile data breach at the Marriott hotel group saw the UK’s data watchdog threaten a fine of more than £99m before a significant climbdown to less than £20m. Meanwhile in Austria, an €18m fine imposed by its data regulator was successfully appealed in December 2020.

“Given the large sums involved and the risk of follow-on claims for compensation, we expect to see the trend of more appeals and more robust defences of enforcement action to continue,” said Magee.

Jenny Darmody is the editor of Silicon Republic

editorial@siliconrepublic.com