Breach Notification , COVID-19 , General Data Protection Regulation (GDPR)
Privacy Fines: Total GDPR Sanctions Reach $331 MillionBut Across Europe, Total Fines and Breach Reports Continue to Vary Widely by Country
Privacy regulators in Europe have imposed fines totaling more than $330 million since the EU's General Data Protection Regulation went into full effect, according to the law firm DLA Piper.
Over the last 12 months, European data protection authorities imposed fines totaling 158.5 million euros ($192 million) under GDPR, which makes for a total of 272.5 million euros ($331 million) in fines levied since the law went into full effect on May 25, 2018, according to DLA Piper's latest GDPR and data breach report. Not all of those GDPR violations involved data breaches.
But the number of data breach notifications that organizations made to regulators hit 121,165 for the past 12 months - led by Germany, the Netherlands and the U.K. - which was a 19% increase from the 101,403 breach notifications issued in the prior 12-month period, the report says.
GDPR includes tough breach-notification rules, often requiring organizations that learn they've been breached to inform relevant authorities, including their national data protection authority, within 72 hours. Failure to comply exposes organizations to fines of up to 4% of their annual global revenue or 20 million euros ($24.3 million) - whichever is greater. Organizations can also see their ability to process people's personal data get revoked.
Since GDPR came into full effect, Italy's regulator has imposed the greatest total amount of fines, nearly $85 million, followed by Germany and France, which respectively imposed fines totaling $84 million and $66 million, the law firm says.
Clearly, many DPAs have been strongly wielding their privacy-enforcement powers. "Fines and breach notifications continue their double-digit annual growth and European regulators have shown their willingness to use their enforcement powers," says Ross McKean, who chairs DLA Piper’s U.K. data protection and security group.
Some GDPR Consensus Has Been Building
Legal experts say that 2 1/2 years since GDPR came into full effect, consensus has been building among European nations over what constitutes a violation of the law. But organizations' risk of getting fined, and to what degree, varies widely by country. Compared to Italy, Germany and France, for example, Estonia, Liechtenstein, Iceland and Austria have total national GDPR fine values that are markedly lower.
Reporting of data breaches also varies widely by country. Per capita, Denmark leads, followed by the Netherlands and Ireland. At the other end of the spectrum, "Greece, Italy and Croatia reported the fewest number of breaches per capita since January 28, 2020," the report notes.
"These wide variations illustrate that although data protection laws within the EEA and the U.K. all derive from the same core GDPR regulation, the compliance culture of organizations and the interpretation and enforcement practice of the different data protection supervisory authorities varies very significantly," DLA Piper's report says.
"This regulatory uncertainty is particularly challenging for multi-national organizations with operations in multiple countries," it adds. "It is also challenging for their insurers, compounded by the legal uncertainty surrounding the question whether GDPR fines can be recovered under an insurance policy."
A previous report issued by DLA Piper that tracked the total fines imposed from when GDPR went into full effect until 20 months later, in mid-January 2020, counted $126 million in sanctions up to that point.
As did that report, this new one arrives with caveats. Namely, most, but not all, countries in the European Economic Area - which includes all 27 EU member states as well as Iceland, Liechtenstein and Norway, which also comply with GDPR - shared data. "Several have only provided incomplete statistics or statistics for part of the period covered by this report so the figures have been rounded up and in some cases extrapolated to provide best approximations," DLA Piper says. "Similarly not all GDPR fines are publicly reported and some data only covered part of the period covered by this report."
The report also includes data from the U.K., which formally exited the EU last month.
Post-Brexit, the British government says that under U.K. law, GDPR compliance - together with the country's Data Protection Act 2018 - will continue to be enforced, although it says there will be "technical amendments" added "to ensure it can function in U.K. law." In addition, "the Information Commissioner remains the U.K.’s independent supervisory authority on data protection."
3 Biggest GDPR Fines to Date
The three highest GDPR fines levied to date have been against:
- Google: France's privacy regulator CNIL in January 2019 hit Google with a penalty of 50 million euros ($61 million) for failing to clearly and transparently inform users about how it handles their personal data and for failing to properly obtain their consent for personalized ads.
- H&M: Privacy regulators in Hamburg, Germany, hit Swedish clothing retailer H&M with a 35.2 million euros ($42.7 million) fine last October for improper workplace surveillance practices.
- Italian Telecom: Italy's DPA, known as the Garante, imposed a 27.8 million euros ($33.7 million) fine on telecommunications operator Italian Telecom in January 2020 for a range of offenses, including a noncompliant and overly aggressive marketing strategy and retaining personal data for an unreasonable length of time.
Large Reductions Seen in Some Cases
Over the past year, some large proposed fines failed to materialize.
Notably, last October, Britain's ICO announced final fines of 20 million pounds ($27 million) against British Airways, for a 2018 data breach, and 18.4 million pounds ($25 million) against Marriott, for the four-year breach of its Starwood customer database.
While those fines remain the largest two GDPR sanctions imposed in Britain, they were respectively 90% and 80% lower than the fines the ICO had originally proposed. While the regulator said that the COVID-19 pandemic's ongoing impact on both businesses was a factor in its decision, legal experts say the ICO was also attempting to set a final amount that would stand up in court against any appeals.
On that front, in November 2020, a German court lowered the 9.6 million euros ($11.6 million) fine imposed on 1&1 Telecom - for call center data protection shortcomings - to 900,000 euros ($1.1 million), after 1&1 appealed, which is a right enshrined in GDPR.
In December 2020, an Austrian court overturned a fine of 18 million euros ($21.8 million) that Austria's DPA had imposed on the country's postal service, Österreichische Post AG, for its allegedly improper processing of personal data. But the court ruled that no such violation had occurred.
Future Fines: Expect More Appeals
Legal experts say that with British Airways and Marriott having seen final fines that were a fraction of what regulators first proposed, any organization that gets hit with a GDPR fine will likely seek similar concessions.
"Given the large sums involved and the risk of follow-on claims for compensation, we expect to see the trend of more appeals," says Ewa Kurowska-Tober, the co-chair of DLA Piper's global data protection and security group.
But at the same time, she adds, expect regulators to put in place "more robust defenses" of their enforcement decisions to attempt to blunt the impact of any such appeals.
Impact of Schrems Ruling Looms
Over the coming year, DLA Piper says two privacy trends to watch for are the impact of the July 2020 "Facebook Ireland and Schrems" - aka Schrems II - judgment handed down by Europe's highest court, as well as a push for group, or class-action, lawsuits in Europe.
Last July, the Court of Justice of the European Union ruled that the EU-U.S. Umbrella Agreement on Data Protection - aka the Privacy Shield - was invalid. In response, Austrian privacy rights campaigner Max Schrems, via his None of Your Business organization, "has issued 101 complaints to lead supervisory authorities demanding, in addition to fines, the immediate suspension of alleged illegal transfers of personal data from the EU to third countries," DLA Piper notes.
Some legal experts are also predicting an uptick in class-action lawsuits, which previously were not legally allowed in the EU for data breaches. But under GDPR, individuals affected by a data breach can seek direct and indirect damages. In the U.K., British Airways and Marriot have been hit by such lawsuits.
DLA Piper says the increase in such lawsuits in the EU and U.K. is being "fueled by billions of euros invested in litigation funds looking for claims to support."