Since the implementation of the General Data Protection Regulation, violation notifications and fines have faced a double-digit annual growth at the European level, according to the law firm DLA Piper.
Since the application of the General Data Protection Regulation (GDPR) in the European Economic Area on May 25, 2018, 272.5 million euros in fines have been imposed for a wide range of infringements of Europe’s tough data protection laws.
DLA Piper, an international law firm, has published this figure in its latest report on annual General Data Protection Regulation (GDPR) fines and data breach.
The survey covers the 27 European Union Member States, plus the UK, Norway, Iceland, and Liechtenstein.
“Companies have a duty to introduce internal data management and protection measures. Beware of those who do not respect their obligations,” warns Gaëlle Lipinski in-house Legal Adviser and Data Protection Officer at the Luxembourg Chamber of Commerce.
The National Data Protection Commission (CNPD), Luxembourg’s independent public institution in charge of data protection monitoring, has received 920 data breache notifications since 2018. The country ranks 18 overall in the survey, having issued no fines to date.
According to DLA Piper, Italy’s regulator tops the rankings with a total of fines of 69.3 million euros, followed by Germany (69.1 million euro), and France (54.4 million euro).
“Fines and breach notifications continue their double-digit annual growth and European regulators have shown their willingness to use their enforcement powers,” Olivier Reisch, partner at DLA Piper’s Luxembourg Intellectual Property & Technology explains. “They have also adopted some extremely strict interpretations of GDPR, setting the scene for heated legal battles in the years ahead”.
During this period, national regulators have been notified of more than 281,000 data breaches. Germany (77,747 notifications), the Netherlands (66,527) and the UK (30,536) top the chart for the number of data breaches regulators were notified of.
Although France’s and Italy’s population amount for over 67 and 62 million people, both countries have respectively recorded only 5,389 and 3,460 data breach notifications, a low number that “illustrates the cultural differences in approach to breach notification,” the survey says.
In 2020, around 331 notifications have been addressed every day to national regulators, a 19% increase compared to the daily 278 breach notifications in 2019.
However, “regulators have shown a degree of leniency this year in response to the ongoing pandemic, with several high-profile fines being reduced due to financial hardship,” Reisch observes.
Record fine for Google
Google has received the highest GDPR fine to date (50 million euros) by the French data protection regulator for alleged infringements of GDPR’s transparency principle and lack of valid consent.
“Regulators have been testing the limits of their powers this year, issuing fines for a wide variety of infringements of Europe’s tough data protection laws,” notes Ewa Kurowska-Tober, Global Co-Chair of DLA Piper’s Data Protection & Security Group.
“But they certainly haven’t had everything go their way, considering some notable and successful appeals and large reductions in proposed fines. Given the large sums involved and the risk of follow-on claims for compensation, we expect to see the trend of more appeals and more robust defences of enforcement action continue.”
Schrem II vs Facebook
For 2021, the international law firm anticipates “the first enforcement actions related to GDPR’s restrictions on transfers of personal data to the US and other ‘third world countries’” as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”
On 16 July 2020, the European Court of Justice (ECJ) issued its Schrems II ruiling. The matter filed before the court by Maximilian Schrems, an Austrian activist.
Schrem called the Irish Data Protection Commissioner to invalidate Facebook’s Standard Contractual Clauses (SCC) that allowed the social media giant to transfer personal data to its headquarters in the US.
The personal data, both in transit to and when stored in the US, it was argued, could be accessed by US intelligence agencies. This, according to Schrems, would be in violation of the GDPR and, more broadly, EU-law.
The ECJ invalidated the EU-US Privacy Shield, the international agreement between the EU and the US which provided for an adequate level of protection of personal data exported to the US.