The annual survey of EU data breaches and GDPR fines from DLA Piper finds that at least some member nations are more willing to take big tech companies to task, with overall GDPR fines up 7x in 2021. Data regulators are also receiving more data breach notifications, a trend that has steadily increased each year since the GDPR went into effect in 2018.
The report also examines the current and anticipated impact of the Schrems II judgment, the court decision that greatly complicated transfers of personal data from the EU to the United States and other nations that lack robust data protection laws. The survey finds that this issue is the top data compliance concern for organizations, driven by fears of not just fines but also serious business interruption should data transfers suddenly be suspended.
Data regulators levy more fines in 2021, mostly to Big Tech
The headline item is that GDPR fines went up sevenfold, to a total of €1.1 billion in 2021. However, over two-thirds of this total came from two data regulators: Luxembourg’s record €746 million fine of Amazon issued in July, and the usually fine-shy Ireland Data Protection Commission’s €225 million fine to WhatsApp. Each of these fines are under appeal, however, and in late December the Administrative Court of Luxembourg agreed to a partial stay of the Amazon penalty.
The report points out that, because of these two giant fines, the story is not so much that regulators are more active but that some are much more active than others. The largest of 2020’s GDPR fines was about €35 million to retailer H&M in Germany, with data regulators finding the company had violated employee privacy in the workplace. 2020’s grand total was about €170 million, comparable to the €129 million that is left in the 2021 total if you subtract the two biggest GDPR fines.
In terms of aggregate GDPR fines, Luxembourg and Ireland naturally shot to the top of the list with these two large penalties. But Italy otherwise held serve at #3 after being the most active with fines in 2020, responsible for about €79 million of that remaining €129 million. France accounted for almost all of the remaining amount with its €50 million fine of Google, the third-largest of 2021; there was relatively little activity from all other EU nations. The remaining one of note is Spain, which issues hundreds of GDPR fines but in very small amounts.
One footnote is that some successful appeals of GDPR fines did reduce this total somewhat. Deutsche Wohnen SE was able to shake off a €14.5 million euro fine in Germany (though prosecutors are appealing this decision), and 1&1 Telecom did the same with a €9.6 million fine that was initially assessed in late 2020 and had been under appeal. The report notes that organizations are generally finding it worth their time to mount legal challenges to GDPR fines due to a fairly high rate of reductions and reversals across the EU.
Along with fine totals, breach notifications have gone up. Data regulators received about 130,000 notifications in 2021, and about 356 per day (an 8% increase from 2020).
GDPR fines overshadowed by expected Schrems II costs
The GDPR fines levied by data regulators are actually secondary in the report to issues created by the Schrems II decision, a matter that still seems to have no clear end in sight a year and a half later.
The regulatory guidance issued by the European Data Protection Board in June provided some much-needed clarity, but there is still a great deal of uncertainty. The guidance did not create clear-cut rules to govern the situation, but it did lay out specific considerations for enforcement decisions.
Thus far, updated standard contractual clauses have kept cross-Atlantic data transfers afloat. But there will continue to be legal uncertainty that data regulators cannot provide clear answers for, with the only remedy being the passage of a GDPR-equivalent data protection law in the United States. As the report notes, 101 complaints based on the Schrems II ruling are still sitting in front of data regulators waiting for a decision.
The report makes some predictions for what data regulators will do about these transfers in 2022. Though it is not a complete solution, the researchers see an increased focus on data localization along with added safeguards to prevent third party access by countries that have applicable extraterritorial laws. The report also sees data regulators really ramping up enforcement this year. It points out that regulators often engage in an extended period of written exchanges with organizations on this issue before moving to enforcement actions, and that this written activity usually remains private. The threat of an order to cease overseas data transfers is potentially much more costly to organizations than any fines, and is something that can happen as part of these private communications before a public enforcement action is announced.
In addition to data regulators, the researchers also expect financial regulators to jump in this year. There was some minimal activity from them in 2021, but more is expected in 2022 due to rules governing systemic disruptions to IT systems being firmed up.