DLA Piper’s annual report covering EU data breaches and GDPR fines reports a record year in penalties, with a total of €2.92 billion levied throughout the bloc in 2022. This is in spite of a small drop in the overall breach count, but it is important to remember that fines are often assessed for complaints and cases that were initiated years before.
The report also indicates that the bloc’s regulators are making AI more of a priority, as concerns run rampant about everything from facial recognition tools to ChatGPT.
Record total of GDPR fines headed up by Ireland and Luxembourg
The record amount was more than double the aggregate GDPR fines issued in 2021. There were two particular areas of enforcement that drove this major increase: more fines issued in relation to behavioral advertising and ad targeting practices, and some very large penalties issued to the Meta family of companies.
The Irish Data Protection Commission (DPC) finally coming off the bench in a number of big cases was a major contributing factor to the fine total. A good deal of the 2022 total belongs to its large penalties to Meta for child data protection issues and failure to implement required “data protection by design” principles, though the company is still in the appeals process for each of these penalties. That pattern may be continuing as the Irish DPC has already started off 2023 with two large GDPR fines to Facebook and Instagram over targeted advertising practices.
In total the amount of GDPR fines across Europe increased 168% from the 2021 tally. Across the board, the report finds that regulatory bodies are becoming more confident in assessing GDPR fines. Part of this confidence stems from the established record of the European Data Protection Board (EDPB), which not only did not reduce any fine amounts proposed by a lead regulatory authority but in all of its cases ended up increasing the eventual penalty amount.
Ireland led the EU regulators with a little over one billion euros in fines, followed by Luxembourg at about €746 million. No real surprises there, as these are the two primary jurisdictions in which technology companies establish their EU headquarters. However, France has emerged as a leader in regulatory action with over €428 million in fines. No other nation in the bloc issued more than €100 million in GDPR fines, and the majority were under €10 million. Slovenia was the only nation that had no GDPR fines whatsoever on record on the year.
Data breach notifications down, AI increasingly in the crosshairs
Data breach notifications have trended up since the GDPR went into effect in 2018, but now appears to be slowing down in spite of the record amount of GDPR fines. The report theorizes that the small reduction is primarily owed to improved recording of data breach notification figures by data protection supervisory authorities, as well as improving maturity in the notification procedures of organizations.
Germany led the way for total personal data breach notifications, switching positions with usual frontrunner the Netherlands in 2022. These two countries experience more than twice as many data breach notifications as any other EU member, with only Poland and the United Kingdom anywhere in the neighborhood. Netherlands continues to lead in the number of per capita data breach notifications, however, and this number is similarly high in Denmark, Lichtenstein, Ireland and Finland.
Artificial intelligence enforcement has also ramped up, meriting its own two-page section in the report. The authors note the EDPB’s guidance issued on AI use in law enforcement facial recognition technology, as well as several nations issuing their own independent opinions. But enforcement is taking place even as both the regulations and the market itself develops, with privacy crusader Max Schrems filing numerous complaints against facial recognition outfit Clearview AI. These complaints turned into substantial fines from Greece, France, Italy and the UK in 2022. The researchers see the EU AI Act being finalized in 2023 and an increase in both guidance being issued and enforcement actions being taken.
The report concludes by looking over the ongoing impact of the Schrems II court decision, and the likelihood of a Schrems III case being brought as the EU and US forge ahead with a new data privacy framework that could be approved by mid-2023. DLA Piper projects that this agreement will definitely be challenged in court, but will possibly hold up for at least the duration of 2023; at minimum organizations should have alternative options ready to deploy by that point, such as SCCs paired with transfer impact assessments.
In terms of data breaches, they are likely to become more expensive for organizations in 2023, at least when they span multiple countries and the EDPB gets involved. When multi-nation data breach cases end up going to the board, the original proposed fine amount is increased by an average of 630%.