European data protection regulators have imposed €114 million in fines for GDPR violations since the regulation came into effect in May 2018. This figure is relatively low compared to the fines that could be imposed under the law. It is predicted that enforcement activity will increase in coming years and fines will rise.
GDPR Fines Expected to Increase
The GDPR (General Data Protection Regulation) is a powerful European data privacy law. It was introduced to safeguard sensitive personal information. GDPR specifies stiff penalties if companies lose control of data or process it without proper consent. Under the law, companies can be fined up to 4% of their global annual revenue for violations of the law.
The law is in force in the 28 European member states as well as Norway, Iceland and Liechtenstein. The latter three countries are all members of the European Economic Area but not full EU members.
The GDPR is enforced by each country’s national data protection offices.
To date, fines imposed by EU countries under GDPR are low compared to penalties imposed in EU anti-trust cases. Ross McKean, a partner at DLA Piper specializing in cyber and data protection, said this indicates “that we are still in the early days of enforcement”. He expects to see momentum build with more multimillion-euro fines being imposed over the coming year as regulators ramp up their enforcement activity. Fines are expected to rise as legal precedents are established.
GDPR Data Breach Survey Results
In February 2019, DLA Piper’s cybersecurity team conducted a survey of data breach notifications issued since GDPR came into force. A summary of findings detailed in a DLA Piper report, were made public yesterday by DLA Piper.
Summary of GDPR Violation Fines Imposed since May 2018
According to DLA Piper’s report, over 160,000 breach notifications were reported across countries who have adopted GDPR. From these notifications, fines were highest in France (€51m), Germany (€24.5m) and Austria (€18m).
France was responsible for imposing the biggest financial penalty. French regulators imposed a €50m penalty on Google for infringements of the transparency principle and lack of valid consent. Germany and Austria followed with fines of €24.5m and €18m, respectively.
The Netherlands reported the largest number of offenders, with 40,647 breaches notified to regulators. Germany came in next with 37,636 notifications, and then the UK with 22,181.
The report also states that breach notification rates have increased by more than 12% since last year.
Pending Fines for GDPR Violations
In the UK there are two further notifications pending. The UK’s Information Commissioner’s Office (ICO) is considering fining British Airways £183m (~ €215m) for computer attacks that exposed 500,000 customers’ data last year. It is also considering fining the hotel chain Marriott £99m (~ €116m) over a cyberattack in which 399 million guests’ records were stolen. Neither fine has been issued at this stage.
In France, Google has recently faced another GDPR related fine. This time Google is being fined €150m for abusing its dominant position in the online advertising market. The French competition watchdog said that Google is abusing its power when dealing with advertisers, applying unclear rules and changing them at will. Google intends to appeal the ruling.