The past year has seen double-digit increases in the value of GDPR fines imposed by regulators and the volume of breaches notified to regulators, according to a new analysis by DLA Piper.
The international law firm said that €158.5m ($192m, £141m) in fines was imposed since January 28 2020, a 39% increase on the previous 20-month period since the law came into force in May 2018.
Breach notifications surged by 19%, the second consecutive double-digit increase, to reach 121,165 over the past year.
In total, €272.5m ($332m, £45m) in fines has been issued since the start of the new regulatory regime, with Italy (€69m) having imposed the larges number, followed by Germany and France.
Total breach notification volumes have reached 281,000, with Germany (77,747), the Netherlands (66,527) and the UK (30,536) topping the table. However, when weighted according to national populations, Denmark comes top, followed by the Netherlands and Ireland.
Although the upward trajectory of fines and notifications would suggest that the GDPR is forcing organizations to be more transparent about incidents and providing regulators with a powerful statutory instrument to punish major transgressors, the truth is more nuanced.
In the UK, for example, the Information Commissioner’s Office (ICO), a leading regulator in the drafting of the legislation, significantly reduced fines planned for BA and Marriot International, from a combined £282m to just £38m last year. It is believed the COVID-19 pandemic may have been a factor.
Concerns were raised last year that national regulators are simply not resourced sufficiently to launch major investigations against the world’s biggest companies, especially tech giants with deep pockets.
However, the coming year is likely to see a ramping up of regulatory pressure, warned Ross McKean, chair of DLA Piper’s UK Data Protection and Security Group.
“Regulators have adopted some extremely strict interpretations of GDPR, setting the scene for heated legal battles in the years ahead. However, we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high-profile fines being reduced due to financial hardship,” he explained.
“During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other ‘third countries’ as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”