European data regulators issued €1.1bn in GDPR fines in 2021
European data regulators issued €1.1 billion (£920 million) in GDPR fines last year, a 585% increase compared to 2020.
This is according to international law firm DLA Piper, which surveyed 27 EU member states, as well as the UK, Norway, Iceland, and Liechtenstein.
The survey identified an 8% increase in GDPR breach notifications from 2020’s average of 331 notifications per day to 356 in 2021.
Since 28 January 2021, there have been over 130,000 notified personal data breaches in total, with the Netherlands having the most breach notifications per 100,000 people respectively. On the other end of the spectrum, Croatia, the Czech Republic, and Greece reported the fewest number of breach notifications per capita.
Luxembourg issued the highest individual GDPR fine in 2021 with its €746 million fine levied against Amazon. It followed by Ireland and its €225 million fine imposed against WhatsApp, and France with its €50 million fine against Google.
The UK came in sixth place with the £20 million fine imposed on British Airways for losing the financial and personal details of around 380,000 customers in a cyber attack in September 2018.
DLA Piper’s survey also identified Schrems II, based on the 2020 ruling of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, as the most common GDPR compliance challenge for organisations.
The case was originally brought by privacy activist Max Schrems, who claimed that Facebook was unjustified in its use of so-called ‘standard contractual clauses’ for the transfer of data between its EU headquarters and its US base in Silicon Valley. On 16 July 2020, the European Court of Justice decided that the data transfer mechanism known as Privacy Shield was unable to protect EU residents’ data from extensive US surveillance mechanisms, making it no longer valid under GDPR.
John Magee, Partner and Head of Data Protection & Information Security at DLA Piper Ireland, said: “It is four years since the implementation of GDPR and we are now seeing significant fines imposed for a wide range of infringements of Europe’s rigorous data protection laws. This year, regulators have issued record fines surpassing one billion euro and Ireland now ranks second overall for total fines to date, demonstrating the significant position and influence of the Data Protection Commission (DPC) in the EU. Given that Ireland is home to some of the world’s largest data businesses there is no doubt that the DPC will continue to play a central role in the enforcement of GDPR in Europe.”
© Dennis Publishing