Americas

  • United States

Asia

Oceania

mhill
UK Editor

European data protection authorities issue record €1.65 billion in GDPR fines

News
Jan 17, 20234 mins
ComplianceData PrivacyRegulation

DLA Piper’s GDPR and Data Breach survey shows a 50% increase in fines in the last 12 months. Data protection authorities turning their focus to artificial intelligence.

Binary flag of the European Union viewed through a magnifying lens and showing a ripple effect.
Credit: MixMagic / Getty Images

European data regulators issued a record €1.65 billion in fines last year, a 50% increase from 2021. That’s according to the latest GDPR and Data Breach survey from international law firm DLA Piper, which covers all 27 Member States of the European Union, plus the UK, Norway, Iceland, and Liechtenstein. This year’s biggest fine of €405 million was imposed by the Irish Data Protection Commissioner (DPC) against Meta Platforms Ireland Limited relating to Instagram for alleged failures to protect children’s personal data. The Irish DPC also fined Meta €265 million for failing to comply with the GDPR obligation for Data Protection by Design and Default. Both fines are currently under appeal.

Despite the overall increase in fines since January 28, 2022, the fine of €746 million that Luxembourg authorities levied against Amazon last year remains the biggest to be issued by an EU-based data regulator to date (though the retail giant is still believed to be appealing).

The report also revealed a notable increase in focus by supervisory authorities on the use of artificial intelligence (AI), while the volume of data breaches reported to regulators decreased slightly against the previous year’s total.

GDPR fines continue to rise as authorities’ confidence grows

The latest edition of the GDPR and Data Breach survey showed a significant year-on-year increase in the aggregate value of GDPR fines. “The increase demonstrates supervisory authorities’ growing confidence and willingness to impose high fines for breaches of the GDPR, particularly against large technology vendors, and has also been influenced by the highly inflationary impact of the EDPB,” the report read. “Local data protection authorities will no doubt have been watching the EDPB decisions under the GDPR consistency mechanism with interest and will know that the EDPB is yet to reduce any fine proposed by a lead supervisory authority. All EDPB decisions regarding fines have resulted in a significant increase in the final fine imposed,” it added.

The survey also highlighted the impacts of some notable decisions made by data protection supervisory authorities this year considering the application of the Schrems II and Chapter V GDPR requirements to specific international transfers of personal data.

Ross McKean, chair of the UK Data Protection and Cybersecurity Group, stated: “The spate of Irish DPC fines targeting the behavioral advertising practices of social media platforms this year have the potential to be every bit as profound for the future of the “grand bargain” at the heart of today’s ‘free’ internet. Given what is at stake, we can expect years of appeals and litigation. The law is very far from settled on these issues.”

Ireland (€1,303,514,500), Luxembourg (€746,345,675), and France (€428,238,300) topped the list of the total value of GDPR fines imposed from May 25, 2018, to date, with the UK (€59,242,800) in seventh.

Data regulators increase focus on use of AI

Data protection regulators are increasing their focus on use of AI and the role personal data plays in training AI technology, the report stated. “AI is impacting every sector, from process automation, machine learning, chat bots, facial recognition through to virtual reality and beyond. Personal data is often the fuel that powers AI used by organizations. It tailors search parameters, spots behavioral trends, and predicts future possible outcomes,” the report read. As many AI systems use personal data, regulation of these systems often falls within the scope of GDPR. “Several data protection supervisory authorities have issued guidance on the use of personal data for AI this year,” the report added.

In May 2022, the UK Information Commissioner’s Office (ICO) fined facial recognition company Clearview AI Inc £7,552,800 for breaking data protection laws over its use of images of people’s faces and data from publicly available information. The ICO claimed the firm collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms all over the world to create an online database but failed to inform people that their images were being collected or used in this way.

mhill
UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past 8 years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author