A new report from DLA Piper shows that GDPR fines are being applied more frequently, with a 39% increase in 2020 from the previous year and a half since the law went into effect. The total fine count to date for the EU member states as a whole is £ 245.3 million (about $ 332.4 million), but there remains a strong disparity in the will of individual national regulators to impose fines on two countries responsible for more than 50%. of that amount.
The GDPR has fines across the board, but some regulators are hesitant to flex their power
Aside from the overall increase in GDPR fines, the statistic that stands out the most is the number of fines broken down by individual nation. Italy and Germany together account for more than 50% of GDPR fines as of May 25, 2018, with each country recording just over £ 69 million respectively. The only other nations that have been nearly as active are France (around £ 54 million) and the UK (around £ 44 million). Together, those four nations make up nearly all of the GDPR fines issued to date, with Spain (around £ 14m) accounting for most of the rest.
Ireland is notably absent from this list of most active regulators, which did not issue any fines until mid-2020 despite being responsible for most of Big Tech’s regional headquarters in the EU. Also absent is the Netherlands, which has had the second highest number of personal data breach notifications submitted (66,257) but has issued a relatively small number of fines to date. Denmark was the per capita leader in notifications of non-compliance, with 155.6 per 100,000 people, but issued just over half a million euros in fines. Notifications of non-compliance also increased across the board; in 2020 there were an average of 331 non-compliance notifications per day, a 19% increase over 2019.
In some cases, national court systems are overriding the desire of data protection agencies to issue the highest possible fines under the GDPR. For example, the country’s Federal Court overturned a € 18 million fine issued to the national postal service in Austria at the end of 2020. Organizations across Europe are learning that legal challenges to GDPR fines often lead to highly reduced reductions. substantial. Some have also been granted reductions in proposed fines due to the unique situation of the pandemic, particularly in industries (such as travel) that have been particularly affected by conditions. Notable successful appeals include the UK fines to Marriott and British Airways.
Continuation of legal uncertainty about the definition of adequate security
The report notes that hesitancy to issue GDPR fines (and a general pattern of staying away from maximum fines) may be due, at least in part, to continued legal uncertainty. Some issues he points to are an unclear definition of what constitutes a “security breach” as a mandatory component of maximum fines, and the potential impact of class action lawsuits that certain sentences could pave the way.
On the subject of security, another trend pointed out by the report is that “failure to implement proper security measures” is one of the most common reasons for GDPR fines at the beginning. However, the GDPR has never been entirely specific as to what is “appropriate” in a given situation. Some patterns are beginning to emerge in terms of what regulators tend to see as appropriate in most cases: regular monitoring of privileged user accounts and databases containing personal information, server hardening techniques designed to protect accounts. administrator, encryption of sensitive personal data, use of multi-factor authentication and periodic penetration tests, among other elements.
One issue that is still pending is the enforcement actions related to the Schrems II court decision, which was issued in July 2020. There have been some legal disputes over the implementation of alternative transfer mechanisms, although a strict interpretation of the law requires stop EU companies from sending data to the US immediately or you will face penalties (including GDPR fines).
Large number of fines directed at major companies
Ability to pay and the impact on companies are factors in determining the amounts of fines, and the bulk of each country’s GDPR fines so far have been large individual actions against major technology companies and retailers. . French privacy regulator CNIL handed Google a € 50 million fine for its data handling practices, Germany fined retailer H&M € 35.2 million for keeping incorrect records of employees’ personal activities at a facility of calls, and Italy issued a fine of 27.8 million euros to telecommunications. Italian Telecom operator for its marketing and data management activities.
Italy and Germany together account for more than 50% of the £ 245.3 million in #GDPR fines since May 2018, while France and the United Kingdom amount to £ 44 million. #respectdata
While Ireland has yet to issue substantial fines, Big Tech firms appear to expect them shortly. Facebook has reportedly set aside € 302 million pending fines from the Irish Data Protection Commission by 2022, with subsidiary WhatsApp hiding an additional € 75 million for the same purpose.