More GDPR Penalties applied in the UK than in Italy & France Combined

A report released by BuyShares has revealed that the United Kingdom tops for the imposition of data breach penalties with €132.7 million in the total value of General Data Protection Regulation fines since the legislation was became enforceable on May 25 2018.

To gain a true understanding of how high this figure is it was also revealed that it is higher than the combined total of fines sanctioned in Germany and Italy combined. However, there are some mitigating reason for the figure in the UK being so high. One reason is that the Information Commissioner’s Office (ICO) in the UK hit Marriott International with a €110.4m GDPR penalty as a result of a cyber attack taking place that affected approximately 340m client records. In addition to this there was the recent €22m GDPR fine sanctioned against British Airways for failing to protect the personal and financial details of more than 400,000 of its customers. While the fine that BA received is quite significant, it is much lower than the initial €204.6m fine that had been proposed in 2019. The financial impact of the COVID10 pandemic played a part in the fine being reduced.

Indeed, the largest five fines for GDPR breaches in the European Union account for 705 of the total fines sanctioned since the data privacy legislation became live in 2018. These five penalties include, along with the Marriot penalty and BA (1st and 5th on the list respectively):

  • Google being penalized to the tun eof €50m in France by the data protection regulator, CNIL, in relation to not supplying users with details on its data consent policies and allocating them more management of their private data.
  • H&M Hennes & Mauritz Online Shop was ranked third on this list with €35.2m worth GDPR penalty for the insufficient legal basis for data processing
  • The €27m GDPR breach fine for Italian telecommunications operator TIM. This penalty was applied on January 15, 2020 for unlawful data processing, non-compliant aggressive marketing strategy, and invalid collection of consents.

Together these five data breach penalties resulted in fines greater then €245m or 70% of cumulative GDPR fine value.

On a country by country scale Germany was ranked second behind the UK with €61.6m in the cumulative value of GDPR fines. On October 1st, 2020, the H&M Hennes & Mauritz Online Shop fine became the most severe sanction in the country. In third place came Italy where the Italian data protection authority (Garante) applied €57.3m worth of GDPR fines since the legislation was introduced. The TIM fine was the largest in Italy.

Following Italy France came in fourth with a cumulative €51.3m of GDPR financial penalties, the Google fine making up 97.5% of the total.

Other countries included were Austria, Sweden, and Spain follow, with, €18 million, €7million, and €3.9 million, respectively.

To date more than €344m GDPR fines have been sanctioned in the EU, with almost €119mo this figure imposed at some point during 2020.