European nations issue record €1.1 billion in GDPR fines

Authorities across Europe issued huge amounts in GDPR fines during 2021. Luxembourg and Ireland took up the top spots, replacing Italy and Germany.

8 data protection gdpr
Getty Images

European data protection authorities have issued fines of €1.1 billion ($1.2 billion) under the General Data Protection Regulation (GDPR) since 28 January 2021, according to the annual GDPR Fines and Data Breach Survey by international law firm DLA Piper.

The survey—which spanned 27 European Union members, the European Economic Association members Norway, Iceland, and Liechtenstein, and now-former EU member the UK—found there was a sevenfold increase in fines in 2021.

The year recorded all-time high fines imposed by Luxembourg and Ireland, which replaced Italy and Germany at the top two spots in the aggregate fines tally. Luxembourg and Ireland issued a total of €746 million ($843 million) and €226 million ($255 million) in fines, respectively, pushing Italy down to the third place with €79 million ($89 million) in fines.

With this, the Luxembourg National Commission for Data Protection (CNDP) became the highest issuer of a single GDPR fine to date, imposing a €746 million fine on US-based online retailer Amazon. This was 14 times higher than the previous highest single fine, €50 million ($57 million), imposed by France on Google in 2019.

Schrems II judgment triggers the increase in GDPR fines

The nearly sevenfold increase in fines this year is being widely attributed to the stringent regulations directed under the European Court of Justice’s Schrems II judgment. “Schrems II judgment and its profound implications for data transfers have established itself as the top data protection compliance challenge for many organizations caught by GDPR,” said Ross McKean, chair of the UK Data Protection and Security Group.

The Schrems II judgment invalidated the European Commission’s Privacy Shield Decision affecting data transfer between EU and US businesses on account of invasive US surveillance programs. The privacy shield framework was meant to provide for the lawful transfer of personal data from the EU to the US while adhering to certain data protection safeguards. The personal data transfer is now possible only through standard contract clauses stipulating data-protection levels equivalent to that of GDPR and the EU Charter of Fundamental Rights.

The Schrems II judgment has effectively shifted the problem and burden of a fundamental conflict of laws from the politicians and lawmakers to individual data exporters and importers, said Ewa Kurowska-Tober, global cochair of DLA Piper’s Data Protection and Security Group. “What is really needed is a resolution of the underlying conflict of laws rather than imposing an unrealistic compliance burden onto businesses and is yet another headwind to international trade just as we emerge from the global pandemic,” she said.

Reported breaches on the rise across Europe

The DLA Piper survey also noted a trend of increasing numbers of daily data breach notifications in Europe for the third year running.

More than 130,000 personal data breaches have been notified to regulators since 28 January 2021, with an average of 356 breach notifications per day. This is an 8% jump on 2020’s 331 notifications a day.

The Netherlands reported an average of 150.7 breaches per day, the highest number per 100,000 people among the surveyed countries. Greece, Czechia, and Croatia have had the fewest reported breaches per capita since 2018.

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)