European data regulators imposed GDPR fines totalling €158.5m between 28 January 2020 and 2021, a 39% increase on the previous 20 months since the introduction of the harsher data protection law.
During the same period, the number of breach notifications jumped by 19% to 121,165, according to a report by international law firm DLA Piper. It marks the second year running in which data breach notifications experienced double-digit growth and means there has been an average of 331 breach notifications per day across Europe.
The figures reflect a crackdown on businesses as regulators continue to find their teeth and apply the higher fines available to them.
GDPR, or the General Data Protection Regulation, mirrors much of existing data protection law but significantly increases the maximum enforceable fines. For the most serious offences, companies in breach of GDPR can be hit with fines of up to €20m or 4% of annual global turnover – whichever is greater.
GDPR investigations are also long and litigious affairs, which means the increase could also be due to more investigations having sufficient time to conclude.
Despite the overall increase in GDPR fines, there have been significant reductions in penalties due to company appeals.
The UK’s Information Commissioner’s Office (ICO) completed two high-profile data breach cases in 2020. British Airways’ fine for a 2018 breach exposing personal and financial data of 400,000 customers was downgraded from £183m to £20m.
Similarly, the ICO reduced Marriott International’s £99.2m fine for failing to protect hundreds of millions of hotel guest records to £18.4m.
Total GDPR fines have reached €272.5m (£245.3m) since it came into force on 2 May 2018. In aggregate, there have been more than 281,000 data breach notifications submitted to regulators since GDPR’s introduction.
The highest GDPR to date remains the €50m levied by the French data regulator on Google in 2019 for an alleged lack of valid consent and transparency infringements.
Overall, Germany has reported the most data breach notifications since 25 May 2018, accounting for 77,747 cases.
Denmark reported the highest number of data breaches per capita with 155.6 reported. The Netherlands came third using this metric, with 150, while Ireland came third with 127.8.
“Fines and breach notifications continue their double-digit annual growth and European regulators have shown their willingness to use their enforcement powers,” said Ross McKean, chair of DLA Piper’s UK Data Protection & Security Group.
“They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead. However, we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high-profile fines being reduced due to financial hardship. During the coming year, we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other “third countries” as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”