The latest DLA Piper GDPR and data breach report shows data protection authorities in the European Union imposed more than €1.1 billion ($1.2 billion) in financial penalties on organizations to resolve alleged violations to the General Data Protection Regulation (GDPR) in the 12 months from January 28, 2021 – A substantial increase from the €159 million ($181 million) in fines the previous year.
Prior to 2021, the largest penalty imposed for a GDPR violation was the €50 million ($56.7 million) fine for Google, imposed by the French Data Protection Authority. In 2021, two substantial fines were imposed on tech firms to resolve alleged violations of the GDPR. The Data Protection Commission in Ireland fined WhatsApp €225 million ($255 million) to resolve alleged data processing transparency violations and Amazon Europe Core S.a.r.l was fined €746 million ($846 million) by the Luxembourg National Commission for Data Protection for violations of the GDPR’s general data processing principles. WhatsApp and Amazon both disagreed with the decisions and have appealed the penalties.
The DLA Piper report also draws attention to the 8% annual increase in data breach notifications. In 2021, 130,000 notifications were sent to EU data protection authorities about breaches of the personal data of EU citizens, with notifications sent at a rate of around 356 per day. Germany topped the list with 106,731 personal data breach notifications, followed by the Netherlands with 92,657, the UK with 40,026, Poland with 29,003, and Denmark with 26,634. The data protection authorities in Croatia (356), Cyprus (289), and Lichtenstein (104) had the fewest data breach notifications. In terms of per capita data breach notifications, the list was topped by the Netherlands (151 per 100K), Lichtenstein (136 per 100K), and Denmark (131 per 100K).
In this year’s report, a total was not provided for the number of financial penalties imposed by each country as each country has a different approach to imposing financial penalties. Some countries tend to pursue large penalties against tech companies, while others, Spain for example, have imposed large numbers of small GDPR penalties. The large financial penalties imposed on WhatsApp and Google may grab the headlines, but they are being appealed and may be reduced or overturned. Regardless, the appeals process is likely to take years and involve considerable resources and costs. Large tech firms with very deep pockets are able to invest considerable resources into defending the cases, whereas smaller financial penalties are more likely to be paid. DLA Piper says it is currently unclear which approach is most effective as a deterrent.
The report also draws attention to the Schrems II Judgement involving Facebook Ireland. The case, filed by privacy advocate Max Schrems, was heard by the Court of Justice of the European Union and concerned transfers of data between EU member states and the United States. Many companies that engage in transfers of personal data between the EU and US rely on the EU-US Data Privacy Shield, but the legislation was determined to be invalid as the transferred personal data could potentially be accessed by federal and state authorities in the United States. As a result of the judgment, companies that engage in data transfers between the EU and third-party countries must conduct comprehensive mapping of data transfers and detailed assessments of the risk of interception of personal data. Failures could not only result in substantial fines but also the suspension of data transfers, which could be disastrous. Consequently, companies must devote considerable resources into compliance with the judgment, which could take resources away from assessing other potential privacy risks.
Note: The DLA Piper report contains data from countries that are not EU member states including the United Kingdom, Norway, and Lichtenstein, and not all data protection authorities make their fines public. In some EU member states, fines are announced, but it is unclear whether they have been imposed for violations of the GDPR or the EU e-Privacy Directive violations. DLA Piper also pointed out that it was not possible to collect complete data from some of the surveyed countries.