€114m in GDPR fines since effectivity still low, expert says

Breach notifications top 160,000 in Europe since the law became effective in May 2018

€114m in GDPR fines since effectivity still low, expert says

While European Union authorities have imposed €114m in fines since General Data Protection Regulation (GDPR) went into effect, an expert says the sum is still low compared to what the regime allows.

“The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million-euro fines being imposed over the coming year as regulators ramp up their enforcement activity,” said Ross McKean, DLA Piper partner and cyber and data protection specialist.

DLA Piper said that the fines were imposed not just for data breach, but for a wide range of GDPR violations. France, Germany, and Austria levied the most in terms of fine value at €51m, €24.5m, and €18m, respectively. However, the total for France was heavily skewed by its €50m fine on Google last year, which is still the largest fine imposed over GDPR violations.

Breach notifications topped 160,000 in Europe since the law came into force in 2018, DLA Piper said.  The countries with the most data-breach notifications were Netherlands, Germany, and the UK, which reported 40,647; 37,636; and 22,181 notifications, respectively.

There’s also been an increase in how many notifications of breaches are being filed with authorities. DLA Piper said that in the first eight months of GDPR, there were 247 notifications filed per day, which increased to 278 per day for 2019.

Weighted against population, The Netherlands had the most breach notifications at 147.2 per 100,000 people, followed by Ireland with 132.52, Denmark with 115.43, Iceland with 91.15, and Finland with 71.11.

DLA Piper looked at data for notifications including from Norway, Iceland, and Liechtenstein, but it could not include data from member states of the European Union that do not publicly disclose notifications statistics.

Patrick Van Eecke, who chairs DLA Piper’s international data protection practice, said that the early GDPR fines have raised many questions.

“Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years,” he said.