Data protection penalties climbed 40% in the past year, according to research
Fines imposed under the General Data Protection Regulation have increased by almost a half over the past year as European authorities flexed their regulatory muscles despite disruption caused by the pandemic.
A total of €272m has been levied in fines by European data protection authorities since the introduction of the GDPR in 2018. Over half of those penalties were imposed by Italy and Germany. According to research by DLA Piper, €159m of those fines were imposed in the past 12 months, an increase of nearly 40 per cent on the first 20-month period after GDPR came into force.
“Regulators have been testing the limits of their powers this year, issuing fines for a wide variety of infringements of Europe’s tough data protection laws,” said Ewa Kurowska-Tober, global co-chair of DLA Piper’s Data Protection & Security Group.
The largest fine imposed under GDPR so far came from the French data protection authority, the CNIL. In 2019, it issued a €50m fine against Google, saying that the tech group had failed to be transparent on how data were used and that it lacked a legal basis for personalising advertisements.
Other sectors that have been hit with large fines include retail, hospitality, telecoms and oil. Germany and the Netherlands have had the most notifications from companies that suffered data breaches. The total of 121,165 notifications over the past year represents an increase of nearly 20 per cent compared with the same period from 2019-20.
However, the enforcement of GDPR in Europe has not been without hurdles. “[Regulators] certainly haven’t had things all their own way, with some notable successful appeals and large reductions in proposed fines,” said Ms Kurowska-Tober. Last month, the Austrian data protection authority’s €18m fine against the country’s postal service was overturned after it appealed against the decision in a federal court.
Ross McKean, chair of DLA Piper’s UK Data Protection & Security Group, said that regulators had also shown a “degree of leniency” during the pandemic, reducing several high-profile fines because of financial hardship. One notable case was the fine from the UK Information Commissioner’s Office against British Airways for a data breach in 2018 that was reduced from a proposed £183m down to £20m — still the fourth-largest GDPR fine on record.
Mr McKean said he expected additional enforcement actions to arise over the coming year as a result of the Schrems II case, which left questions remaining over whether data flows to the US were legal under its current surveillance laws.
“It is positive to see that the number and size of the fines imposed under the GDPR continues to grow,” said Estelle Massé, senior policy analyst at Access Now. “Moving forward, DPAs should not only look at fines but also use all other punitive sanctions available under the GDPR, such as the possibility to suspend data transfers or to request data acquired unlawfully to be deleted,” she said.