New Europe-wide analysis provides insights into GDPR fining and enforcement practice
28/05/2021

New Europe-wide analysis shows GDPR fines are here to stay, but with big differences between countries

  • The total amount of fines related to non-compliance with the GDPR reached EUR 261.7m in Europe, according to new analysis by global law firm CMS
  • GDPR enforcement activity strongly varies from country to country, with almost a third of all evaluated fines issued from Spain
  • Media, Telecoms & Broadcasting and Industry & Commerce totalled 40% of fines, emphasising the importance of risk management in customer-facing industries

With the omnipresence of digitisation and personal data across all industries, a tough crackdown on data protection compliance is sweeping across Europe. Data protection authorities (DPAs), in doing so, appear to be sticking to EU legislators' promise for greater data protection and data security under the GDPR.

The new findings are published today by global law firm CMS in the 2nd edition of its annual Enforcement Tracker Report, which analyses all publicly available information in relation to GDPR fines across Europe. The information used in the report is captured in CMS's GDPR Enforcement Tracker online database.

The report shows that a total of 287 known GDPR fines were imposed between March 2020 and March 2021, bringing the total to 526 fines in the period 25 May 2018 to 1 March 2021 (570, if all entries are counted). This increase from 239 notices, as outlined in Enforcement Tracker Report 2020, represents 120% growth in penalties in one year. With a total value of EUR 261.7m, DPAs across Europe have been acting decisively to ensure GDPR compliance among large and small businesses (and sometimes also public authorities) in the region.

Illegal processing of personal data (or, in legal terms, "insufficient legal basis for data processing") was the most common violation, accounting for 38% of all fines and for six out of 10 of the highest fines across Europe. This shows that companies are still struggling to manage the legal uncertainty in GDPR interpretation and application. Data security took the second spot, accounting for 21% of fines.

On a European level, almost a third of all fines issued were from the Spanish DPA, followed by Italy, Romania and Hungary. The UK had the highest average fine at EUR 11m, based on four penalties.

The report also revealed that public-facing industries received most scrutiny, possibly due to end customers’ willingness to file complaints with a DPA: The Industry & Commerce and Media, Telecoms and Broadcasting sectors each received 110 and 99 fines respectively, accounting for 40% of all fines issued. The highest and most common fines also in these industries were related to the legal basis for data processing and data security. Meanwhile, DPAs are also cracking down on illegal video surveillance, with 70% of fines issued in the hospitality industry relating to illegal video surveillance, as well as direct marketing activity, such as spam emails.

Among the highest-profile penalties issued, Google received the heaviest fine for insufficient legal basis for data processing owing to a lack of consent for use of data for marketing activities. Issued by France, the penalty was EUR 50m. European retailer Hennes & Mauritz (H&M) took the second highest penalty with EUR 35.3m for illegal employee surveillance and monitoring activities.

Tom De Cordier, Partner at CMS commented: “Beyond the mere facts and figures, our analysis reveals the relevant differences in DPA fining practices between jurisdictions. To provide more insights, especially for pan-European organisations, we collected details of enforcement frameworks from our local CMS data protection specialists. Even though fully harmonised, there is hardly another area that is shaped more by national laws and the respective watchdog's practices than GDPR fines and enforcement."

"It is also worth noting that the DPAs' opinions (as evidenced in a penalty notice or an initial notice of intention) are not necessarily the last word. DPAs as well as courts in the UK, Germany and various other countries, have significantly reduced fines. Apparently, it is not over "til the fat lady sings."

"Finally, there does not seem to be a direct correlation between a DPAs' propensity to impose fines and that DPAs' budget and resources. Our research reveals that the some of the most active DPAs (in terms of number of fines imposed) are DPAs who are known for being short on budget and resources. This is, for example, the case for the Belgian DPA and the Czech DPA who are nevertheless amongst the 10 most active DPAs."

Read the full report here; an executive summary is available here.

Related : CMS Belgium

LexGO Network