Data protection fines hit £100m during first 18 months of GDPR
European countries have imposed approximately €114 million (£97 million) in data protection fines on businesses since revamped laws came into force in May 2018.
- Regulators have received 160,000 data breach reports, with UK firms third-most reported across Europe
Approximately two-thirds of penalties administered under the General Data Protection Regulation (GDPR) have been levied by German and French data protection authorities to date.
However, the data excludes major fines against British Airways and Marriott International of £183 million and £99 million respectively, issued by the UK’s Information Commissioner’s Office in July 2019, as these penalties have yet to be finalised. Once collected, the overall figure for the continent could rise to £379 million.
These fines have been issued across more than 160,000 data breach notifications reported in the 31 nations that have adopted GDPR, according to research by law firm DLA Piper.
There has also been a marked increase in the rate of reporting, with 247 reports per day during the past six months of GDPR between May 2018 and January 2019, rising to 278 per day throughout last year.
“GDPR has driven the issue of data breach well and truly into the open,” said Ross McKean, a DLA Piper partner specialising in cyber and data protection.
“The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations.
“We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”
The total fines imposed under GDPR by the UK’s ICO stands at just €320,000 (£274,000), pending the closure of penalties against BA and Marriott.
Authorities based in France have collected the most in GDPR fines to date, meanwhile, at €51,100,000 (£44 million) which can be attributed almost exclusively to the record penalty against Google, issued in January last year.
The German data regulator has also been active, imposing fines exceeding €24 million (£20 million). This included penalties against a telecom giant for not taking sufficient measures to prevent unauthorised access to customer data, as well as a property firm for hanging onto personal and financial data of housing tenants for longer than required.
While the UK ranked third in the total number of breach notifications, with 22,181 reports since May 2018, this translated to a relative ranking of 13th for data breach notifications per 100,000 people.
The Netherlands ranked first in this category, closely followed by Ireland, which could be explained by the fact that the headquarters of many companies are registered in these nations for tax purposes, and whose data protection authorities will be called upon to lead investigations.
Registering fewer breach notifications per 100,000 people can also be interpreted as a sign that businesses are more attuned to the new data protection laws in particular counties more than others.
Much of this can be explained by how strict the data protection laws were before GDPR came into force, as these were not harmonised across Europe in the same way.
Businesses in the UK, for instance, were required to abide by the Data Protection Act 1998, which did not significantly diverge from the new regulations. This may have been different for organisations based in countries with laxer data protection regulations.
All previous laws, however, were generally based on the EU’s Data Protection Directive, which was adopted in 1995.
“Many of the requirements and concepts are similar,” McKean continued. “But GDPR includes turbo-charged individual rights, a brand new requirement for data breach notification, a much greater focus on accountability including the requirement to document all processing activities in an “Article 30 record” and powers for regulators to impose huge revenue-based fines.”
As for why the UK ranks just 13th on the list of countries with the most data breach notifications per 100,000 people, and why there is such variety, McKean suggested it could be explained by the way different countries understand the regulations.
“GDPR is interpreted quite differently across Europe,” he added. “Although it’s the same legal text, as it is principle-based and open to interpretation that’s exactly what has happened in practice.
“In the UK, the Information Commissioner – receiving over 1,000 breach notifications per month – is encouraging controllers to consider whether a security breach really does meet the threshold for notification, or not. That approach seems to have suppressed the number of notifications in the UK relative to other countries.”
Meanwhile, due to the nature of the one-stop-shop principle, the role and remit of the Irish Data Protection Commission (DPC) has rapidly expanded since GDPR came into force.
Although the DPC has collected nothing in GDPR fines since May 2018, the regulator is inundated with reports, ranking fourth overall for notifications, and finds itself spearheading countless large-scale investigations into the world’s biggest tech companies.
The DPC issued an update in February last year, for example, revealing it had opened 15 investigations into large tech companies with ten of those probes into services operated by Facebook alone.
Since then, it has undertaken several further large-scale investigations, into companies like Google, Quantcast, and Facebook again.