Annual Report Shows Record GDPR Fines And Rise in Breaches

Photograph of DLA Piper Logo on Building

A report created by law firm DLA Piper‘s cybersecurity and data protection team indicates that 2021 was a record year for GDPR fines and data breaches.

The tidal wave of GDPR policy is now crashing on the economy. The EU’s GDPR — which regulates the processing and movement of personal data — has been in place since 2018, and the new regulatory framework is starting to make its presence felt.

As a result, DLA Piper has looked at unprecedented GDPR (General Data Protection Regulation) fines and a continuing trend in increasing personal data breach notifications. The annual report prepared by the law firm surfaced on January 18th, 2022, and is entitled: “DLA Piper GDPR fines and data breach survey: January 2022.”

Record-Breaking Fines Represent a Sevenfold Increase

DLA Piper’s report was formed from a survey that encompassed 27 European Union Member states, including the UK, Iceland, Norway, and Liechtenstein. It is the “General Data Protection Regulation (GDPR) Fines and Data Breach Survey.”

According to the report, numerous European data protection supervisory authorities issued an estimated 1.1 billion Euros in GDPR fines since January 28th, 2021. This is a sevenfold increase compared to last year’s total.

Luxembourg and Ireland Have Broken Records

Information in the report confirms that Luxembourg and Ireland have imposed record-breaking fines, surpassing Germany and Italy, which used to be in the top two spots. In the top ten largest fines ever recorded to date under the GDPR framework, Luxembourg and Ireland have imposed 746 million Euros and 225 million Euros in fines, respectively, since January 28th, 2021.

The 746 million Euro GDPR fine by the Luxembourg National Commission for Data Protection (CNDP) was imposed on a “US online retailer” — Amazon — and is “the biggest fine so far for non-compliance with the GDPR.” Meanwhile, Ireland imposed a fine of 225 million Euros on Meta’s WhatsApp.

France, Germany (Hamburg), and Italy’s figures have now plummeted far below Luxembourg and Ireland. These nations have grabbed third, fourth, and fifth place respectively with fines amounting to 50 million Euros or less.

Increasing Personal Data Breach Notifications

The GDPR’s requirement for organizations to report breaches is now also fully in action. As a result, the report showed increasing numbers in daily data breach notifications in Europe, which have “continued over the last year, for the third year running.”

Since January 28th, 2021, an 8% increase was noted compared to the previous year, with over “130,000 personal data breaches notified to regulators.” Germany took the overall top spot with 106,731, while when weighed against country populations, the Netherlands took the top position with 150.7 personal data breaches per 100 people.

On the other hand, the Czech Republic, Greece, and Croatia reported record-low data breach incidents since 2018.

Schrems II Case Has Complicated Privacy Regulation and Compliance

Schrems II, also known as the 2020 Maximilian Schrems case, was a landmark case by the Court of Justice of the European Union (CJEU.) The case concerns personal data transfer violations between the EU and other countries that are non-GDPR compliant. Consequentially, the far-reaching after-effects brought about by the case have manifested themselves in record-breaking GDPR fines, suggested Ross McKean, Chair of the UK Data Protection and Security Group.

The report continues to add that the Schrems II case has serious implications for the continuity of business, and compliance. The ramifications of the case do not “just create a risk of fines and claims for compensation,” but lead to service interruption if data transfers are suspended.

Global Co-Chair of DLA Piper’s Data Protection & Security Group Ewa Kurowska-Tober also underlined the difficulties Schrems II creates in the industry. Kurowska-Tober emphasized that meeting Schrems II requirements now “is a challenge even for the most sophisticated and well-resourced organizations and is beyond the means of many small and medium-sized enterprises.”

Both McKean and Kurowska-Tober’s views seem to align in that Schrems II has shifted focus away from the immediate priority of resolving the conflict of laws to dealing with unrealistic compliance burdens on business and disruption to international trade.

GDPR Regulation and Schrems II in Action

This report casts a light on the ongoing turbulence in the data protection and regulatory environment and how that bodes for business as the economy emerges from a global pandemic.

The Schrems II judgment, particularly, has profound implications on business. McKean stated that the case has “established itself as the top data protection compliance challenge for many organizations caught by GDPR.” EU to U.S. data transfers is going to be a particularly turbulent area going forward.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at, while in his free time he likes to work on documentary projects, read about sociology and write about world events.