Regulatory fines for data breaches under the GDPR increased 39% in Europe during the past year to €158.5m, according to new research from law firm DLA Piper.
The
company said regulators “tested their powers” under the GDPR in 2020 after a
slow start during the regulation’s first 20 months when fines totalled €114m.
Total
fines levied since the GDPR was introduced in May 2018 now stand at €272m, with
five country regulators accounting for more than 92% of the total, according to
DLA Piper.
Italy
has imposed the highest fines at €69.3m, followed by Germany at €69.1m and
France at €54.4m. The UK has imposed €44.2m of fines and Spain €14.5m. The
French data protection regulator CNIL has levied the largest GDPR fine to date,
of €50m against Google
The
report says there were 281,000 data breaches notified to European regulators
under the GDPR by the end of January 2021. Germany has the most at 77,747,
followed by the Netherlands at 66,527 and the UK at 30,536. France and Italy
recorded just 5,389 and 3,460 data breach notifications respectively.
DLA
Piper said that while regulators are flexing their new muscle under the GDPR,
they have also had several cases appealed or fines reduced.
Last
month, Austria’s postal service successfully appealed an €18m data breach fine.
While in the UK, the Information Commissioner’s Office reduced a record fine of
£183m against British Airways (BA) to £20m. It also slashed a proposed fine of
£100m against hotel chain Marriott International to just over £18m.
Legal
arguments against fines are likely to continue, said the law firm.
Ewa
Kurowska-Tober, global co-chair of DLA Piper’s data protection and security
group, said: “Regulators have been testing the limits of their powers this
year, issuing fines for a wide variety of infringements of Europe’s tough data
protection laws. But they certainly haven’t had things all their own way, with
some notable successful appeals and large reductions in proposed fines. Given
the large sums involved and the risk of follow-on claims for compensation, we
expect to see the trend of more appeals and more robust defences of enforcement
action continue.”
Ross
McKean, chair of DLA Piper’s UK data protection and security group, added:
“Fines and breach notifications continue their double-digit annual growth and
European regulators have shown their willingness to use their enforcement
powers. They have also adopted some extremely strict interpretations of GDPR,
setting the scene for heated legal battles in the years ahead.”
Mr
McKean said DLA Piper now expects the first enforcement actions regarding
transfers of personal data to the US and other third-party countries following
the Schrems II case. In July last year, the European Court of Justice ruled
against the Privacy Shield agreement that allows EU consumer data held by tech
firms and other businesses to be transferred to the US.
GDPR
fines imposed May 2018 to January 2021: Top five countries
Italy €69.3m
Germany €69.1m
France €54.4m
UK €44.2m
Spain €14.5m
Source:
DLA Piper
CRE
© Commercial Risk Europe
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article