It has been close to two years since the General Data Protection Regulation (GDPR) came into force across the EU, updating ageing data protection laws across the region. In the lead up to GDPR being introduced, there was plenty of hysteria and hyperbole across the business world and media - with claims that GDPR would be too costly to introduce and overbearing for business.
The reality has been more measured and data protection regulators have taken a sensible approach to balancing guidance, support and taking action.
However, it is only now that a decent amount of time has passed, can we begin to see how GDPR is being used across Europe and understand variances between individual countries.
Thanks to a new report from law firm DLA Piper we now know that European data protection regulators have imposed €114 million in fines under GDPR. However, this does not include €329 million in fines that are being treated by the ICO in the UK on companies that have faced high profile data breaches, including Marriott and British Airways.
France has imposed the highest fines to date (€51 million), followed by Germany (€24 million), and Austria (€18 million).
Over 160,000 data breach notifications have been reported across the 28 European Union Member States, plus Norway, Iceland and Liechtenstein, since GDPR came into force on 25th May 2019.
The Netherlands, Germany and the UK topped the number table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 notifications respectively.
The daily rate of breach notifications has also increased by 12.6% from 247 notifications per day for the first eight months of GDPR (up until 27 January 2019), to 278 breach notifications per day for the current year.
Commenting on the report, Ross McKean, a partner at DLA Piper specialising in cyber and data protection, noted that whilst the data is useful, it is likely still early days when considering the wider impact. He said:
GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations. The total amount of fines of €114 million imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.
Other useful stats
When looking at data breach notifications when weighted for the population size of each county, the Netherlands sits at the top of the ranking table with the most breaches per 100,000 capita (147.2). This is followed by Ireland (132.52) and Denmark (115.43). The UK sits at around mid-table with 17.79 data breach notifications per 100,000.
At the bottom of the table sits Italy (2.05), Romania (1.) and Greece (1.5) data breach notifications per 100,000. DLA Piper notes that Italy, a country with a population of over 62 million people, only recorded 1886 data breach notifications, “illustrating the cultural difference in approach to breach notification”.
DLA Piper notes that the current state of play may not be the status quo for future years. The report states:
It would be unwise to assume that low and infrequent fines will be the norm going forward. Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime. It takes time to build a robust case to justify higher fines. We expect to see more multi million Euro fines in the coming year.
Fines certainly aren’t the only potential exposure for organisations which fall short of GDPR’s exacting requirements. Supervisory authorities enjoy a wide range of powers to impose other sanctions including in some countries the ability to publicly name and shame the wrongdoer.
There is also an increased risk of “follow-on” compensation claims, including group litigation which follow a regulatory finding of liability. Litigation funders have billions of Euros available to fund claims and – where local civil procedure rules permit – are becoming increasingly active pursuing group litigation claims for large groups of affected individuals on the basis of alleged breaches of GDPR and data protection laws. Recent UK group litigation claims based on data protection law infringements would be very familiar to US class action lawyers.”
It’s worth noting that whilst the UK is set to leave the EU at the end of January, the ICO notes that the government intends to incorporate GDPR into UK data protection law, which means that organisations will still need to follow the legislation and be compliant. be Take a look at this diginomica/government piece on a clear rundown of the 14 things you actually need to do to become GDPR compliant.