GDPR fines increase 19% year-on-year as regulators ‘test limits of powers’

International law firm DLA Piper said there were 331 breaches in the 12 months from 28 January 2020, compared to 278 a day the previous year.

Ross McKean, chair of DLA Piper’s UK data protection and security group, said: “Regulators have shown their willingness to use their enforcement powers.

“They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead.”

“However we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high-profile fines being reduced due to financial hardship.”

McKean added that in the coming year we should see the first enforcement actions relating to the restrictions on transfers of personal data to the US and other third countries following the Schrems II court ruling.

Overall, regulators have imposed fines totalling €272.5m ($330.1m) for breaches of the General Data Protection Regulation (GDPR) since the EU-led data protection law came into force on 25 May 2018, according to the survey by international law firm DLA Piper. 

The research covers the 27 European Union members, plus the UK, Norway, Iceland and Liechtenstein.

Italy tops the rankings for aggregate fines levied at €69.3m, closely followed by Germany at €69.1m. France is third at €54.4m, then the UK €44.2m and Spain €14.5m.

The highest fine to date is €50m the French data protection regulator imposed on Google for alleged infringements of GDPR’s transparency principle and lack of valid consent.

Data breach notifications total more than 281,000, with 77,747 reported in Germany, 66,527 in the Netherlands, 30,536 in the UK, 18,938 in Denmark and 17,131 in Ireland.

“France and Italy, countries with populations over 67m and 62m people respectively, only recorded 5,389 and 3,460 data breach notifications for the same period illustrating the cultural differences in approach to breach notification,” DLA Piper commented on the findings.

When results are weighted against country populations, Denmark leads the field with 155.6 suspected breaches notified per 100,000 people. The Netherlands is next with 150.0, followed by Ireland with 127.8, Slovenia 80.0 and Finland 71.8.