Number of GDPR Fines Rose 7x in 2021
The cost is skewed by massive fines but a new survey shows there was still a steady increase in the number of GDPR fines across the EU last year.
If you've been following the seemingly endless data breach news cycle, it may not a huge surprise that data breach notifications across the European Union were up last year.
The increase coincides with a with a sevenfold uptick in General Data Protection Regulation (GDPR) fines, according to DLA Piper, an international law firm whose cybersecurity and data protection team puts out an annual data breach survey tracking GDPR trends each January.
The law firm has carried out the survey every year since 2019, the year after the GDPR went into effect; it looks at readily available metrics from the European Economic Area (EEA) and the UK.
In this year's survey, which accounts for GDPR fines issued since January 28, 2021, the firm notes that the increase in notifications - 130,000 total - boils down to 356 per day, an 8 percent bump over 2020's 331 notifications per day.
Luxembourg and Ireland, whose data protection authorities both imposed massive fines in 2021, took over the top spots on the law firm's list of countries with the largest fines imposed to date. Italy and Germany, previously the number one and number two spots on the list, have been bumped down to third and fourth:
In July last year, Luxembourg’s National Commission for Data Protection (CNDP) announced that it'd be fining Amazon €746 million ($887 million) for not complying with GDPR. Until that point, the biggest GDPR fine had been 14 times smaller, a fine from two years prior, a €50 million penalty issued by France’s CNIL to Google for making it difficult for internet users to refuse online trackers.
Ireland, whose Data Protection Commission is considered by many experts to be one of the world's most stringent, fined WhatsApp €225 million in September and parent company Facebook €35 million in October for issues relating to EU data rules about transparency.
In the future, assuming the fines go through – they’re both still going through appeals processes – it’s going to be hard not to view them, especially Luxembourg’s fine of Amazon, as a gamechanger. They’ve clearly swayed the sheer value of fines last year. The cost of GDPR fines went from €158.5 million, or $179 million in 2020 to €1.087 billion, or $1.23 billion, in 2021.
Italy, which sat atop the list of countries with the highest total value of GDPR fines in 2020 held steady last year, in third, with €79,144,728. If Luxembourg and Ireland hadn’t issued the fines they did, it would still be in the top spot.
While the survey mostly digs into the changes around GDPR fines, it notes there is a degree of legal uncertainty circling around Schrems II, a case from July 2020 involving Austrian privacy campaigner Max Schrems, that found the protection of personal data in the had limitations due to domestic law. The decision invalidated the EU-U.S. Safe Harbor agreement and made it harder to share data between the EU and US. Organizations in the EU are still grappling with the judgment, trying to adhere to recommendations issued by the European Data Protection Board. If data transfers are ever disrupted by authorities, the survey suggests the outcome could be potentially more damaging and costly than fines.
“The Schrems II judgment has effectively shifted the problem and burden of a fundamental conflict of laws from the politicians and lawmakers to individual data exporters and importers. Meeting the requirements of Schrems II is a challenge even for the most sophisticated and well-resourced organisations and is beyond the means of many small and medium sized enterprises," Ewa Kurowska-Tober, Global Co-Chair of DLA Piper's Data Protection & Security Group said earlier this month.