€273m GDPR Penalties Applied Since it Became Enforceable

A report has been published by Law firm DLA Piper that reveals European Union-based companies handed over financial penalties totalling €272.5m ($329m) in relation to wide range of General Data Protection Regulation (GDPR) breaches since May 25 2018.

In addition to this the aggregate daily rate of breach alerts doubled for the second consecutive 12-month period with 331 alerts issued per day since 28 January 2020, a 19% rise from the 278 breach notifications daily rate for the previous year.

The report says that the results of the research shows there is a persistent “failure to implement appropriate security measures”.  This is the main reason for the ongoing growth of GDPR fines.

Chair of DLA Piper’s UK Data Protection & Security Group Ross McKean said: “Fines and breach notifications continue their double digit annual growth and European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead. However we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high profile fines being reduced due to financial hardship. During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other “third countries” as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”

The GDPR fines were handed over paid by businesses located in the 27 EU member states along with the UK, Norway, Iceland and Liechtenstein. The greatest percentage of the total was paid by companies based in Italy (€69.3m) followed closely by Germany (€69.1m) and France (€54.4m).

Over figures made public by the report include:

  • 281,000 GDPR data breach alerts have been broadcast.
    • This was made up by Germany (77,747), The Netherlands (66,527), the UK (30,536), France (5,389) & Italy (3,460).
  • Businesses located in Europe have paid €272.5m ($329m)
  • The largest GDPR fine was €50m – issued against Google
  • In the UK two GDPR penalties were cut from £282m in total to £28.4m
  • Denmark registered the greatest amount to breaches per 100,000 people with 155.6 per 100,000 people, Netherlands recorded a rate of 155.6 and Ireland 127.8