It has been more than 3 years since the EU General Data Protection Regulation (GDPR) took effect, and while there was a slow start to policing compliance with the GDPR, the number of violations being discovered has been increasing, as have financial penalties for noncompliance.
Data Protection Authorities across the EU 27 member states have been increasingly focused on implementing the GDPR and that focus has resulted in more GDPR violations being uncovered. New data released by Finbold show the cumulative number of GDPR violations increased by 113.5% in the past 12 months from July 2020 to July 2021. Violations increased from 332 to 709 in 2021, with the number of fines rising by 124.92%. As of July 2020, the cumulative fines were €130.69 million with the total rising to €293.96 million in July 2021.
There have been several sizable GDPR penalties imposed in the last 12 months. The largest penalty of the year to July 18 – and the largest to date at €60 million – was imposed on Google by the French Data Protection Authority, with Google Ireland fined €40 million by the Irish Data Protection Authority. Other large GDPR penalties include the €35.26 million penalty for H&M (Hennes & Mauritz Online Shop) by the German Data Protection Authority, a €35 million fine for Amazon Europe Core by the French DPA, and a €27.9 million financial penalty imposed by the Italian DPA on telecom company TIM.
The increase in financial penalties shows Data Protection Authorities are increasingly willing to use their enforcement powers. It has been more than 3 years since the GDPR took effect so organizations doing business in EU member states have had plenty of time to ensure they are in compliance with the GDPR. The increase also shows DPAs are finding it easier to detect violations of the GDPR with respect to the personal data of EU citizens, helped by consumers reporting privacy violations.
The financial penalty total could have been far higher were it not for Data Protection Authorities being lenient due to the coronavirus pandemic. There were several notable cases where large financial penalties were imposed, only for them to later be reduced due to companies experiencing financial difficulties due to the pandemic, with British Airways and Marriot notable examples. The UK Data Protection Authority reduced the financial penalty for British Airways from £183 million to £20 million, and Marriot’s fine was reduced from £99 million to £18.4 million due to coronavirus-related financial difficulties.
Over the past 12 months there has been an increased focus on large tech and telecom companies, which engage in large-scale data processing, with many accused of deliberately misusing the personal data of EU citizens to gain a competitive advantage.
“Most customers are concentrated among just a few players whose churn rates are low. This situation leads to companies being complacent about compliance because customers have stuck with them due to a lack of choice,” said Finbold in its report.
The increase in fines sends a message to all companies doing business in the EU that compliance with the GDPR is not optional. Violations will be discovered and fines will be imposed for privacy violations, preventable data breaches, and misuse of personal data.