DLA Piper GDPR fines and data breach survey: January 2021
EUR272.5 million worth of fines have been imposed for a wide range of infringements of Europe’s tough data protection laws. The figure is taken from DLA Piper’s latest annual General Data Protection Regulation (GDPR) fines and data breach report of the 27 European Union Member States plus the UK, Norway, Iceland and Liechtenstein.
Significant increase of breach notifications
It has been more than two and half years since GDPR first applied on 25 May 2018. For the period from 28 January 2020 to 27 January 2021 there were on average 331 breach notifications per day (a 19% increase on the previous year average of 278 notifications per day), so the current trend for breach notifications continues to see double digit growth.
Key findings:
- EUR158.5 million of fines imposed since 28 January 2020, a 39% increase on the previous 20 month period since the application of GDPR.
- Double digit growth for breach notifications for the second year running with 121,165 breaches notified since 28 January 2020 compared to 101,403 breaches notified in the previous year – a 19% increase.
- Per capita Denmark tops the rankings for data breach notifications.
- Italy has imposed the highest aggregate fines with France imposing the highest individual fine to date.
Norway reported 4,898 data breaches notified to regulators, ranking it 10th overall in the survey. The total number of fines imposed by The Norwegian Data Protection Authority (DPA) was EUR828,345, ranking Norway in 12th place. Italy’s regulator tops the rankings for aggregate fines having imposed more than EUR69.3 million since the application of GDPR on 25 May 2018. Germany and France came second and third with aggregate fines of EUR69.1 million and EUR54.4 million respectively.
In aggregate there have been more than 281,000 data breach notifications since the application of GDPR on 25 May 2018 with Germany (77,747), The Netherlands (66,527) and the UK (30,536) topping the table for the number of data breaches notified to regulators. France and Italy, countries with populations over 67 million and 62 million people respectively, only recorded 5389 and 3460 data breach notifications for the same period illustrating the cultural differences in approach to breach notification.
The aggregate daily rate of breach notifications in Europe experienced double digit growth for the second year running with 331 notifications per day since 28 January 2020, a 19% increase compared to 278 breach notifications per day for the previous year.
Weighting the results against country populations, Denmark takes pole position this year ahead of The Netherlands with 155.6 and 150 reported breaches per 100,000 people respectively. Ireland is in third place with 127.8 reported breaches per 100,000 people. Greece, Italy and Croatia reported the fewest number of breaches per capita since 28 January 2020.
The highest GDPR fine to date remains the EUR50 million imposed by the French data protection regulator on Google, for alleged infringements of GDPR's transparency principle and lack of valid consent.
Following two high profile data breaches, the UK Information Commissioner's Office (ICO) published two notices of intent to fine in July 2019 totaling EUR313 million. However in a significant climbdown by the UK regulator, the final fines imposed in October 2020 were greatly reduced to EUR22.2 million and EUR20.4 million. The Austrian supervisory authority suffered a setback when its EUR18 million fine was successfully appealed in December 2020.
Double digit annual growth
Commenting on the report, Ross McKean, Chair of DLA Piper's UK Data Protection & Security Group, said: "Fines and breach notifications continue their double digit annual growth and European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead. However we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high profile fines being reduced due to financial hardship. During the coming year we anticipate the first enforcement actions relating to GDPR's restrictions on transfers of personal data to the US and other "third countries" as the aftershocks from the ruling by Europe's highest court in the Schrems II case continue to be felt."
Petter Bjerke, Location Head of IPT at DLA Piper Norway, stated: "Public sector still represents the largest share, but we have also seen the first turnover based fines in private sector in 2020."
Request the report by clicking here.
N.B. Not all Member States of the European Economic Area make details of breach notification statistics publicly available. Several have only provided incomplete statistics or statistics for part of the period covered by this report so the figures have been rounded up and in some cases extrapolated to provide best approximations. Similarly not all GDPR fines are publicly reported and some data only covered part of the period covered by this report.
