“We are years away from having legal certainty”
European data protection regulators have dished out over €114 million in GDPR fines since the regulation came into force in May 2018, DLA Paper figures showed today, with the law firm saying it expects enforcement activity to ramp up in coming years.
The law firm said over 160,000 data breach notifications have been made in 20 months across the 28 European Union Member States plus Norway, Iceland and Liechtenstein. Current data breach notifications are running at 278 per day across Europe, it added.
The Netherlands came top with 147.2 reported breaches per 100,000 people, up from 89.8 per 100,000 people last year, followed by Ireland and Denmark.
That’s according to the firm’s annual GDPR Data Breach Survey. (The fines were imposed for a wide range of GDPR breaches, not just data loss/exposure, The London-headquarted firm said, noting the relatively low fines at this stage).
GDPR Fines: Who’s Got Sharpest Teeth?
The highest GDPR fine to date was €50 million imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent, rather than for data breach, the report notes.
The UK’s Information Commissioner’s Office (ICO), meanwhile, in July 2019 published notices of intent to impose substantial fines on British Airways and US hotel chain Marriott (£183 million for BA and £99 million for Marriott).
Those now appear to have been kicked into the long grass, with the ICO admitting to law firm Mishcon de Reya that an extension has been agreed, saying: “Under Schedule 16 of the Data Protection Act 2018, [both BA and Marriott] and the ICO have agreed to an extension of the regulatory process until 31 March 2020. As the regulatory process is ongoing we will not be commenting any further at this time.”
(Watch out for a settlement similar to the ICO’s with Facebook, Mishcon de Reya said, pointing to the October 2019 agreement that saw Facebook pay £500,000 but make no admission of liability in relation to alleged failure to comply with the UK data protection principles covering lawful processing of data and data security.)
Early GDPR Fines “Raise Many Questions”
Patrick Van Eecke, chair of DLA Piper’s international data protection practice, said “The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years.”
The Netherlands, Germany and the UK topped the table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 notifications each.
The daily rate of breach notifications meanwhile has also increased by 12.6 percent from 247 notifications per day for the first eight months of GDPR from 25 May 2018 to 27 January 2019, to 278 breach notifications per day for the current year.
Commenting on the report, Ross McKean, a partner at DLA Piper specialising in cyber and data protection, said: “GDPR has driven the issue of data breach well and truly into the open. Regulators have been busy road-testing their new powers to sanction and fine organisations. The total amount of fines of €114 million imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”