There has been a marked increase in challenges to GDPR rulings in recent months, with European companies appear increasingly confident they can successfully appeal charges.
The surge has put a renewed focus on the lack of resources regulators have at their disposal.
A challenging caseload
The Wall Street Journal reports that in the past six months, fifteen appeals have been lodged for fine reductions, with six more currently awaiting a court's decision.
This has reportedly forced staff working for privacy regulators to spend much more time than they'd like defining the remit of a growing number of individual cases and making sure the correct legal procedures are followed at all times.
This has been made tougher by the fact that few regulatory bodies have been awarded adequate funding to tackle their current caseload. Privacy-conscious web browser Brave filed a complaint to the EU commission last year after discovering that chronic underfunding was indeed hampering regulators' ability to enforce the rules.
Success prompts more challenges
Not unusually, the more successful challenges that lead to reductions - or fines being overturned completely - the more likely it is to galvanize other companies when they're charged.
Many organizations no longer hesitate to challenge the decision of data protection authorities. That's a big change.
Some experts have also said that due to the fact many regulators are short-staffed and are running on stretched budgets, hunting for mistakes in the prosecution's legal proceedings has become a more beneficial endeavor.
In the past few months, several companies have had fines for breaching data regulations reduced after successfully appealing the decisions in court. Reasons for mass reductions vary but include explanations such as data not being sensitive enough to warrant the charges.
Privacy regulators in a number of European countries have also witnessed their rulings struck down by a court for reasons that could potentially set worrying precedents for the future and impede enforcement of such rules in the future.
The most recent example is that of Deutsche Wohnen, a German property company, who had a fine levied against them overturned by a Berlin court, which said as there was no specific employee identified as the culprit. A similar explanation was given in a case in Austria in December 2020. This will make it harder to fine larger, more bureaucratic companies.
Back in October, British Airways escaped a monster £183 million fine from British regulator ICO, later reduced to £20 million, with the impact of Covid-19 on the industry thought to play a role.
A tougher stance
Despite several successful appeals from well-known European companies, regulators in Europe imposed €158.5m of fines between January 2020 and January 2021, which accounts for well over half of the total €272.5m imposed since the law came into force.
Law firm DLA Piper charted a 19% increase in reported data breaches in 2020 compared with the year previous, with regulators made aware of over 120,000 shortcomings.
Failing to comply with GDPR regulations can lead to fines totaling up to 4% of global revenue or €20 million, as dictated in the regulation.