Fines imposed under the General Data Protection Regulation have increased by almost a half over the past year as European authorities flexed their regulatory muscles despite disruption caused by the pandemic.
According to research by DLA Piper, Ireland imposed €715,000 for GDPR breaches since the introduction of the regulations in 2018, ranking it in 14th place. However, it came sixth overall in terms of number of data breaches in the past year, with more than 6,600 incidents reported to authorities.
A total of €272 million has been levied in GDPR fines by European data protection authorities. Over half of those penalties were imposed by Italy and Germany. Almost €160 million of those fines were imposed in the past 12 months, an increase of nearly 40 per cent on the first 20-month period after GDPR came into force.
Limits
“Regulators have been testing the limits of their powers this year, issuing fines for a wide variety of infringements of Europe’s tough data protection laws,” said Ewa Kurowska-Tober, global co-chair of DLA Piper’s Data Protection & Security Group.
“Closer to home, the Data Protection Commission has flexed its muscles by issuing fines against domestic organisations as well as a large technology company. As lead regulator for many international businesses, and with a large volume of inquiries underway, the DPC is likely to issue further sanctions as 2021 progresses.”
The largest fine imposed under GDPR so far came from the French data protection authority, the CNIL. In 2019, it issued a €50 million fine against Google, saying that the tech group had failed to be transparent on how data were used and that it lacked a legal basis for personalising advertisements.
Other sectors that have been hit with large fines include retail, hospitality, telecoms and oil.
Germany and the Netherlands have had the most notifications from companies that suffered data breaches. The total of 121,165 notifications over the past year represents an increase of nearly 20 per cent compared with the same period from 2019-20.
However, the enforcement of GDPR in Europe has not been without hurdles.
“[Regulators] certainly haven’t had things all their own way, with some notable successful appeals and large reductions in proposed fines,” said Ms Kurowska-Tober.
Last month, the Austrian data protection authority’s €18 million fine against the country’s postal service was overturned after it appealed against the decision in a federal court.
Ross McKean, chair of DLA Piper’s UK Data Protection & Security Group, said that regulators had also shown a “degree of leniency” during the pandemic, reducing several high-profile fines because of financial hardship.
One notable case was the fine from the UK Information Commissioner's Office against British Airways for a data breach in 2018 that was reduced from a proposed £183m down to £20 million - still the fourth-largest GDPR fine on record.
Actions
Mr McKean said he expected additional enforcement actions to arise over the coming year as a result of the Schrems II case, which left questions remaining over whether data flows to the US were legal under its current surveillance laws.
“It is positive to see that the number and size of the fines imposed under the GDPR continues to grow,” said Estelle Massé, senior policy analyst at Access Now.
“Moving forward, DPAs should not only look at fines but also use all other punitive sanctions available under the GDPR, such as the possibility to suspend data transfers or to request data acquired unlawfully to be deleted,” she said. – Copyright The Financial Times Limited 2021