Fines for companies not adhering to the General Data Protection Regulations set out by the EU have risen by almost half in the past 12 months, law firm DLA Piper has revealed.
The steep rise brings the total fines imposed since 2018 to €272m, €159m of which has been paid since January of last year.
Data breaches
The report compiled by DLA Piper also aggregated the number of data breaches since GDPR came into effect in Europe.
Germany topped the list with 77,747 recorded personal data breaches, followed by the Netherlands' 66,527. The United Kingdom is also a hotspot for leaks of this kind, with 30,536 taking place in the last two and a half years.
Denmark has the unfortunate honour of being the country with the most GDPR breaches per head, with 155.6 per 100,000 people, followed by The Netherlands and Ireland.
Under GDPR, serious offences can cost companies around 4% of their annual turnover. Yet despite the threat of this hefty dent in the company finances, the data from the last year charts a breach increase of almost 20% on 2019-2020.
Paying up and climbing down
DLA Piper looked at data breach reports from 27 European Member States as well as Norway, Iceland, Lichtenstein, and the UK, the latter of which was still in the EU when GDPR came into force.
Italy's data protection regulator was the most willing to impose fines for breaches of GDPR, handing out €69.3m of the total sum. Germany and France follow closely behind after issuing €69.1m and €54.4m in fines respectively, whereas Spain handed out almost 14.5m in fines to companies under its jurisdiction.
Two years ago the UK looked to be leading the way after the Information Commissioner's Office (ICO) declared in 2019 that they were going to issue two fines totalling £282m. However, the ICO later walked back on this, resulting in the fines totalling just £40.6m by the time they were imposed.
The Austrian Supervisory Authority, on the other hand, witnessed a successful appeal against the €18m fine they issued to Österreichische Post, the company that manages Austria's postal system.
The main offenders
The largest single fine since 2018 was issued by the French regulator CNIL, who slapped Google with a €50m punishment for their failure to be transparent about where their users' data ends up.
Although no company came close to Google's €50m fine, H&M was ordered to pay approximately €35m in October 2020 for internal data security breaches. UK-based British Airways were ordered to cough up around £20m last year after a data leak exposed 400,000 customers' information in 2018.
Other offenders inside the top ten included Italy's Gruppo TIM and Wind Tre as well as Vodafone. German property company Deutsche Wohnen and laptop retailers Notebooksbilliger also found themselves in hot water with the country's regulatory authority and forced to pay large sums to make up for it.
Testing the waters
Since data protection regulations came into force, authorities seem to have grown in confidence when it comes to demanding fines from companies mismanaging data.
Regulators have been testing the limits of their powers this year, issuing fines for a wide variety of infringements of Europe's tough data protection laws
However, she added that they "haven't had things all their own way," alluding to the fact some companies have been able to overturn their fines. Others, like British Airways, have managed to get Covid-19 discounts on their fines on top of other reductions.
What next?
Two and a half years after GDPR was enforced in Europe, the number of data breaches occurring across the continent is still rising rapidly.
It's difficult to gauge precisely how effective the process has been – on the one hand, there are fines being issued and regulators willing to take action – but on the other, there have been discounts, reductions and successful appeals.
Looking forward, Chair of DLA Piper’s Ross McKean said that "during the coming year, we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other "third countries” as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt."
Just last week, Spain's Caixabank S.A was served with a €6m fine for an 'insufficient legal basis for data processing, becoming the second multi-million Euro fine issued this year already for breaches of GDBR and likely not the last.