The General Data Protection Regulation (GDPR) has been in effect since 25 May 2018, or a little over a year and a half at this point. In that relatively short amount of time there have been over 160,000 data breaches requiring enforcement, and over $126 million in GDPR fines.
This information comes from the recently published GDPR Data Breach Survey conducted major multinational law firm DLA Piper.
The distribution of GDPR fines
The GDPR stipulates that any data breach that represents a potential risk to the “rights and freedoms” of any persons must be reported to the country’s Data Protection Authority (DPA) within 72 hours of discovery. Organizations are also required to notify the data subjects of the breach without “undue delay.” A breach won’t always result in GDPR fines, but a failure to report and notify properly will.
From the onset of the GDPR to January 27 of this year, there have been 160,921 personal data breaches in the European Union. Both breach notifications and GDPR fines have increased in the past year as data protection authorities appear to be cutting organizations less slack.
A full $57 million of the $126 million total fines under the GDPR was racked up by Google, which was fined in France a year ago for failing to adequately disclose data collection terms to users. Larger fines to British Airways ($230 million) and Marriott ($123 million) for their respective high-profile data breaches have been proposed in the United Kingdom, but have yet to be finalized as of the end of January 2020.
Data protection authorities have a great deal of independence in determining how they will fine organizations. There is already a striking disparity in the number of data breaches reported among EU member nations. The Netherlands (over 40,000) and Germany (over 37,000) lead all member nations, with the United Kingdom (over 22,000) and Ireland (over 10,000) behind them. No other nation has yet to issue more than 10,000 notifications, however. Iceland, Greece and about half a dozen smaller member nations have issued fewer than 500. When results are weighted on a per capita basis, there is little change to the order of this list.
Likewise, some countries are much stricter with their GDPR fines than others. France is the leader, but only due to the massive fine of Google; remove that €50 million fine and it would drop to the back of the pack. Germany, Austria and Italy have been the most active in issuing fines. Seven nations, including Finland and Ireland, have yet to issue a single fine.
Is too little enforcement going on?
At a glance, these numbers seem rather low. DPAs are imbued with the power to fine offending organizations up to 4% of their total global turnover. No fines have come close to approaching this maximum, however. The largest fines that have been assessed so far are still relatively small when stacked up next to company revenue.
Though there was no formal “grace period” for organizations once the GDPR went active, there was always an expectation that enforcement actions would be more limited in the early going. There are a couple of reasons for this. One is the expectation that DPAs across Europe would need some time to ramp up and refine their operations, a concern that has turned out to be accurate. The other is a need to solidify interpretations of what is somewhat vague language in the GDPR regarding fine conditions and amounts. The expectation has always been that it would take some setting of precedents before DPAs would feel comfortable rolling out more regular fines.
The study also suggests that DPAs may be stopping short of harsh GDPR fines in cases where liability is publicly established and there is a strong likelihood of a class action lawsuit being based on that.
As Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, points out:
“One should bear in mind that the GDPR’s formidable 4% of the annual revenue is reserved for the most flagrant (e.g. systematic, reckless or willful) violations of the law. Otherwise, fined companies may just go out of business and consequently increase unemployment, reduce social welfare and undermine economy. European courts are well aware of these ramifications and will likely remain reasonable and prudent when imposing fines. Cooperation, transparency, remediation and compensation to the victims are all to be considered when imposing a monetary fine under GDPR. Ultimately, an excessive or disproportionately harsh fine can always be disputed on appeal, and possibly reduced or even cancelled.”
The future of calculating GDPR fines
An exact method of calculating GDPR fines was not established in the original regulations; it was expected that each of the member states would come up with their own standards.
This is a fluid process that is still being worked through nearly two years in. The GDPR provides guidelines, but no specific figures save the maximums for the most serious violations.
Article 83 is the base the DPAs are given to work from, and provides 11 guidelines to be considered when determining the size of fines. These include the scope of the breach, whether or not there was negligence or intent, the offender’s history of incidents and remediation efforts among other factors.
Spotty enforcement and underwhelming fines will likely continue for some time as some DPAs are still facing major staffing struggles, and every country will have legal challenges that ultimately influence standards. One underlooked factor to also consider is the level of public awareness in each country. GDPR enforcement is ultimately driven by complaints from consumers. A survey sampling from mid-2019 indicates that about two-thirds of Europe as a whole is aware of the GDPR, but awareness varies greatly between countries. For example 90% of Sweden is aware of the regulations, but only 44% of France is in spite of that country handing out the largest fine to date.