A new report from DLA Piper shows that GDPR fines are being handed out more frequently, with a jump of 39% in 2020 over the previous year-and-a-half since the law went into effect. The total fine count to date for the whole of the European Union member states is £245.3 million (about $332.4 million), but there remains a strong disparity in the willingness of individual national regulators to issue fines with two countries responsible for over 50% of that amount.
GDPR fines up across the board, but some regulators hesitate to flex their power
Aside from the overall increase in GDPR fines, the statistic that stands out the most is the amount of fines broken down by individual nation. Italy and Germany together represent over 50% of the GDPR fines since May 25, 2018, with each country clocking in at a little over £69 million respectively. The only other nations that have been nearly as active are France (about £54 million) and the United Kingdom (about £44 million). Together those four nations make up nearly all of the GDPR fines issued to date, with Spain (about £14 million) accounting for most of the rest.
Noticeably absent from this list of most active regulators is Ireland, which did not issue any fines at all until mid-2020 in spite of being responsible for most of Big Tech’s regional EU headquarters. Also absent is the Netherlands, which has had the second-largest number of personal data breach notifications filed (66,257) yet has issued a relatively small amount of fines to date. Denmark was the per capita leader in breach notifications, with 155.6 per 100,000 people, but issued only a little over half a million Euros in fines. Breach notifications were up across the board as well; in 2020 there were an average of 331 breach notifications per day, an increase of 19% from 2019.
In some cases, the national court systems are overriding a desire by the data protection agencies to issue the highest GDPR fines possible. For example, a fine of €18 million issued to the national postal service in Austria was overturned by the country’s Federal Court in late 2020. Organizations throughout Europe are learning that legal challenges to GDPR fines often result in very substantial reductions. Some have also been granted reductions in proposed fines due to the unique pandemic situation, particularly in industries (such as travel) that have been particularly hard-hit by the conditions. Notable successful appeals include the UK’s fines of Marriott and British Airways.
Continued legal uncertainty over definition of appropriate security
The report notes that the hesitancy to issue GDPR fines (and a general pattern of staying far from the maximum fines) may be at least in part owed to continuing legal uncertainty. Some issues that it points out are an unclear definition of what constitutes a “breach of security” as a mandatory component of maximum fines, and the potential impact of class-action suits that certain judgments might pave the way for.
On the subject of security, another trend noted by the report is that “failure to implement appropriate security measures” is among the most common reasons for GDPR fines in the early going. However, the GDPR has never been entirely specific as to what is “appropriate” in any given situation. Some patterns are beginning to emerge in terms of what regulators tend to view as appropriate in most cases: regular monitoring of privileged user accounts and databases that contain personal information, server hardening techniques designed to protect administrator accounts, encryption of sensitive personal data, use of multi-factor authentication and regular penetration testing among other items.
One item that is still pending is enforcement actions related to the Schrems II court decision, which came down in July of 2020. There has been some legal wrangling over getting alternative transfer mechanisms in place, though a strict interpretation of the law requires EU companies to stop sending data to the US immediately or face penalties (including GDPR fines).
Bulk of fines targeted at major firms
Ability to pay and impact to business are both factors in determining fine amounts, and the bulk of each country’s GDPR fines thus far have been large single actions against major technology and retail firms. The French privacy regulator CNIL handed out a €50 million fine to Google for its data handling practices, Germany fined retailer H&M €35.2 million for keeping improper records of employee personal activities at a call center, and Italy issued a €27.8 million fine to telecommunications operator Italian Telecom for its data handling and marketing activities.
While Ireland has yet to issue substantial fines, Big Tech firms appear to be expecting them shortly. Facebook has reportedly set aside €302 million in expectation of fines forthcoming from the Irish Data Protection Commission by 2022, with subsidiary WhatsApp stashing away an additional €75 million for the same purpose.