18/01/22

European data regulators issued EUR1.1 billion in GDPR fines

  • Luxembourg, Ireland and France top the table of the highest individual fines issued (EUR 746m, EUR 225m and EUR 50m respectively).  Luxembourg, Ireland and Italy top the table of the highest aggregate fines issued
  • There was an 8% growth for breach notifications compared to last year with more than 130,000 breaches notified since 28 January 2021
  • Per capita the Netherlands tops the rankings for data breach notifications
  • The increase in fines is significant but the Schrems II judgment of Europe’s highest court and its profound implications restricting international data transfers continues to be the top data protection compliance challenge for many organisations caught by GDPR

Nearly EUR1.1bn of fines have been imposed for a wide range of infringements of Europe’s General Data Protection Regulation.  This represents a 594% year on year increase in fines imposed since 28 January 2021 compared to EUR158.5m during the same period last year, according to international law firm DLA Piper.  The figure is taken from the law firm’s latest annual General Data Protection Regulation (GDPR) fines and data breach survey of the 27 European Union Member States plus the UK, Norway, Iceland and Liechtenstein.

Luxembourg, Ireland and France top the rankings for the highest individual fines (EUR746m; EUR225m and EUR50m respectively). These high fines have placed Luxembourg and Ireland also at the top of the ranking for the total value of fines imposed since 25 May 2018. In this ranking, Belgium takes the 20th position with a total value of fines since 25 May 2018 of EUR508,000 (excluding fines that were successfully appealed).

The growth of breach notifications has continued with an 8% increase from last year’s average of 331 notifications per day to 356 this year and more than 130,000 personal data breaches notified in aggregate since 28 January 2021.

Weighting the results against country populations, the Netherlands takes pole position this year ahead of Liechtenstein and Denmark with 151, 136 and 131 breach notifications per 100,000 people respectively. Belgium moved up two places to the 15th position in the ranking with 14 breach notifications per 100,000 people.

While the increase in fines may be significant, the judgment of Europe’s highest court in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems in July 2020 known as “Schrems II” continues to be the top data protection compliance challenge for many organisations caught by GDPR.  The judgment and Chapter V of GDPR impose strict limitations on the transfer of personal data from Europe and the UK to “third countries” with data exporters risking suspension orders, fines and claims for compensation for failing to meet these new requirements.  The judgment requires organisations exporting personal data from Europe and the UK to third countries to carry out comprehensive mapping of those transfers and detailed assessments of the legal and practical risks of interception by public authorities in the countries where importers are located, greatly increasing the compliance burden on data exporters and importers.

Commenting on the survey findings, Heidi Waem, Counsel at DLA Piper Belgium and head of the Belgian data protection and privacy team said: “The nearly sevenfold increase in fines may grab the headlines but the Schrems II judgment and its profound implications for data transfers has established itself as the top data protection compliance challenge for many organisations caught by GDPR.

According to the survey findings the Schrems II judgment doesn’t just create a risk of fines and claims for compensation, it also threatens service interruption in the event data transfers are suspended, with serious implications for business continuity.

The threat of suspension of data transfers is potentially much more damaging and costly than the threat of fines and compensation claims.  The focus on transfers and the significant work required to achieve compliance inevitably means that organisations have less time, money and resource to focus on other privacy risks” said, Kristof De Vulder, Country Managing Partner of DLA Piper Belgium.

Heidi Waem continued "The Schrems II judgment has effectively shifted the problem and burden of a fundamental conflict of laws from the politicians and lawmakers to individual data exporters and importers.  Meeting the requirements of Schrems II is a challenge even for the most sophisticated and well-resourced organisations and is beyond the means of many small and medium sized enterprises.  What is really needed is a resolution of the underlying conflict of laws rather than imposing an unrealistic compliance burden onto business and another headwind to international trade as we emerge from the global pandemic."

Read the survey

dotted_texture