GDPR fines rose 600 per cent last year

Luxembourg and Ireland handed out the highest individual and aggregate fines in 2021

Image:

Luxembourg and Ireland handed out the highest individual and aggregate fines in 2021

Regulators issued more than €1 billion in fines, but legal experts say Schrems II is the real thorn for EU data transfers

Fines for breaching the General Data Protection Regulation (GDPR), the EU's landmark privacy legislation, grew nearly 600 per cent last year to exceed €1 billion.

Data protection authorities in the EU (plus the UK, Norway, Iceland and Liechtenstein) have handed out a combined total of nearly €1.1 billion in fines since 28th January 2021, according to research from law firm DLA Piper. That's up from just €158.5 million in the preceding year.

Breach notifications - firms telling regulators they have been compromised - rose more slowly, up eight per cent to about 356 every day. The Netherlands topped the breach notification rankings when judged on a per capita basis.

The GDPR came into force in 2018, and has been hailed as the world's most consumer-friendly privacy legislation. It forces companies to prove they have a legal basis and a reason to collect users' data; stops them from sending that data outside certain regions for processing; and requires them to declare any data breach within 72 hours.

Failure to comply with these requirements carries the threat of a hefty fine: as much as four per cent of global annual turnover or €20 million, whichever is higher.

Luxembourg handed out the highest individual fine last year (a €746 million penalty against Amazon), followed by Ireland (€225 million against WhatsApp) and France (€50 million against Google in December 2020). Luxembourg and Ireland also topped the list of countries issuing the highest aggregate fines, followed by Italy.

Despite the growth in fines, DLA Piper believes the Schrems II judgement in July 2020 continues to be the top data protection compliance challenge for many organisations caught by GDPR. Both Schrems II and Article V of the GDPR impose strict limits on the transfer of personal data outside the EU and UK, with the Schrems judgement in particular requiring detailed risk assessments - greatly increasing the compliance burden on firms.

Schrems II invalidated Privacy Shield, covering EU-US data transfers, but left standard contractual clauses (SCCs) in place. Cloud companies like AWS and Microsoft can use SCCs as a legal mechanism for data transfers, but other firms - notably Facebook parent Meta - cannot do the same. Google has called on the EU to speed up its work to find a replacement for Privacy Shield, after Austria's data protection regulator ruled that Google Analytics breaks the GDPR.

Ross McKean, Chair of the UK Data Protection and Security Group at DLA Piper, said: "The threat of suspension of data transfers is potentially much more damaging and costly than the threat of fines and compensation claims. The focus on transfers and the significant work required to achieve compliance inevitably means that organisations have less time, money and resource to focus on other privacy risks"