Read time: 01'55''
26 January 2021
Unsplash © Pietro Jeng

£245M fines paid in Europe for GDPR breaches

Despite some COVID-19 leniency, Europe is following through on its tough on privacy pledge. A new DLA Piper report details the extent of costs incurred by Big Tech and the industry as a whole.

Launched in 2018, GDPR is a European data privacy and security law that sets out a number of regulations for companies to follow when it comes to their customers’ personal data. Europe has been clear about sending a ‘tough on privacy’ signal – and thus GDPR violation can incur penalties of up to tens of millions of euros. 

And indeed, new research points towards there being substance behind the threat. Legal firm DLA Piper has revealed that, since the law’s inception, £245.3M of fines have been levied. More breaches have been exposed – and in turn more fines have been imposed – day-to-day as time has gone on. The daily rate of breach notifications grew from 278 notifications per day in 2019, to 331 notifications per day in 2020. 

According to Ross McKean, Chair of DLA Piper’s UK Data Protection & Security Group:

“Fines and breach notifications continue their double digit annual growth and European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead.” 

“However we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high profile fines being reduced due to financial hardship”, he added. 

Per capita, Denmark reported the most data breach notifications – with 155.6 breaches reported per 100,000 people. The Netherlands and Ireland follow with 150 and 127.8 respectively. Greece, Italy and Croatia have reported the fewest breaches – although Italy’s regulator has imposed £62.4M in aggregate fines, more than any other country. 

Ross continues, “During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other “third countries” as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.” 

Thus far, France has imposed the most sizeable fine. Google was required to pay £45M by the country’s data protection body for alleged infringements of the transparency principle and lack of valid consent. 

However, on top of COVID-19 leniency, many fines have been appealed or reduced this year. To quote Ewa Kurowska-Tober, Global Co-Chair of DLA Piper’s Data Protection & Security Group:

“Regulators have been testing the limits of their powers this year issuing fines for a wide variety of infringements of Europe’s tough data protection laws. But they certainly haven’t had things all their own way with some notable successful appeals and large reductions in proposed fines.”

“Given the large sums involved and the risk of follow-on claims for compensation we expect to see the trend of more appeals and more robust defences of enforcement action continue.” 

Read the report