|
The company said regulators “tested their powers” under the GDPR in 2020 after a slow start during the regulation’s first 20 months when fines totalled €114m.
Total fines levied since the GDPR was introduced in May 2018 now stand at €272m, with five country regulators accounting for more than 92% of the total, according to DLA Piper.
Italy has imposed the highest fines at €69.3m, followed by Germany at €69.1m and France at €54.4m. The UK has imposed €44.2m of fines and Spain €14.5m. The French data protection regulator CNIL has levied the largest GDPR fine to date, of €50m against Google
The report says there were 281,000 data breaches notified to European regulators under the GDPR by the end of January 2021. Germany has the most at 77,747, followed by the Netherlands at 66,527 and the UK at 30,536. France and Italy recorded just 5,389 and 3,460 data breach notifications respectively.
DLA Piper said that while regulators are flexing their new muscle under the GDPR, they have also had several cases appealed or fines reduced.
Last month, Austria’s postal service successfully appealed an €18m data breach fine. While in the UK, the Information Commissioner’s Office reduced a record fine of £183m against British Airways (BA) to £20m. It also slashed a proposed fine of £100m against hotel chain Marriott International to just over £18m.
Legal arguments against fines are likely to continue, said the law firm.
Ewa Kurowska-Tober, global co-chair of DLA Piper’s data protection and security group, said: “Regulators have been testing the limits of their powers this year, issuing fines for a wide variety of infringements of Europe’s tough data protection laws. But they certainly haven’t had things all their own way, with some notable successful appeals and large reductions in proposed fines. Given the large sums involved and the risk of follow-on claims for compensation, we expect to see the trend of more appeals and more robust defences of enforcement action continue.”
Ross McKean, chair of DLA Piper’s UK data protection and security group, added: “Fines and breach notifications continue their double-digit annual growth and European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR, setting the scene for heated legal battles in the years ahead.”
Mr McKean said DLA Piper now expects the first enforcement actions regarding transfers of personal data to the US and other third-party countries following the Schrems II case. In July last year, the European Court of Justice ruled against the Privacy Shield agreement that allows EU consumer data held by tech firms and other businesses to be transferred to the US.
GDPR fines imposed May 2018 to January 2021: Top five countries
Italy €69.3m
Germany €69.1m
France €54.4m
UK €44.2m
Spain €14.5m
Source: DLA Piper