There was a massive surge, to $1.2bn, in fines sanctioned in relation to breaches of the European Union’s General Data Protection Regulation law during 2021 according to a new report issued by law firm DLA Piper.
The $1.2bn figure represents an increase of $180m on the amount of fine sanctioned for 2020. If a beach of GDPR is identified then the group responsible can be hit with a penalty of as much as 4% of a company’s annual global revenue for the previous financial year or €20m ($22.8 million), whichever amount is larger.
Ross McKean, chair of DLA Piper’s U.K. data protection and security group, told CNBC. “GDPR has certainly been effective in making everyone sit up and listen to data protection law and data protection enforcement. Prior to GDPR, if you got hit with a fine and you were one of the bigger processors, it was a rounding error, it would barely pay for the Christmas party. Now, you’ve got fines that are close to a billion euros.”
He went on to explain that it can “take(s) a while” for regulators to sanction massiver large fines following the introduction of a new law. He added: “That’s because investigations take a while. And the law is still full of lots of open legal questions.”
In 2021 there were a number of large fines including the Data Protection Commission of Ireland hitting WhatsApp with a €225m fine and Luxembourg’s privacy watchdog sanctioning Amazon with a €746m GDPR fine. There are active appeals against both of these penalties.
In another recent case Austria’s data protection group suggested that using Google Analytics is a breach of GDPR as there is a chance that U.S. intelligence agencies will be able to intercept users’ data. The case is not directly related to actions performed by Google but by a website publisher using Google’s web analytics service.
Like Meta and other large U.S. tech companies, Google relies on SCCs to process EU-U.S. data transfers. At the time, Google said firms using Google Analytics “control what data is collected with these tools, and how it is used,” and that the company provides a “range of safeguards, controls and resources for compliance.”
McKean said: “Every organization — with some limited exceptions — has an international supply chain and international data transfers”. He went on to say that the Schrems II ruling has had a “profound” impact on all companies.
Teh Schrems II ruling refers to the 2020 European Court of Justice (ECJ) ruling which invalidated the use of the Privacy Shield framework for transferring data across the Atlantic to the United States. It was labelled “Schrems II” after Austrian privacy activist Max Schrems, who initiated the case.
Following the ruling, the ECJ held that the validity of standard contractual clauses, a different way of seeing to it that EU-U.S. data flows are legally acceptable.