DIGITAL DEFENDER: GDPR TOUGH BUT FAIR ON DATA BREACHES
Since coming into force in the European Union (EU) in May 2018, the General Data Protection Regulation (GDPR) has done much to identify and penalise data privacy violations, with total fines enforced to date across all EU member states approaching €300m.
And although enforcement activity dipped somewhat during the early months of the coronavirus (COVID-19) pandemic, application of the regulation has since returned to its prior intensity, with supervisory authorities having issued over €170m worth of fines, including one authority alone imposing a €100m penalty.
“Authorities are increasingly using their enforcement instruments and expecting companies to have become fully compliant with the GDPR,” suggests Jan Feuerhake, a partner at Taylor Wessing. “The COVID-19 pandemic was a factor for more leniency regarding GDPR violations, but only for a period of about three months or so. Enforcement has picked up with full speed again.”
That said, despite the significant resurgence in GDPR fines following last year’s temporary moratorium, when these penalties are broken down by individual nations, it becomes clear that enforcement of the regulation is far from consistent. Also, the fines do not reflect the double-digit growth in data breach notifications – a 19 percent year-over-year (YoY) increase from 287 to 331 per day, according to DLA Piper’s 2021 ‘GDPR fines and data breach survey’.
When examining the consistency of fines between nations, the DLA survey found that Germany and Italy represent over 50 percent of the GDPR fines issued since 2018, with each imposing around €69m respectively. The only other nations to be anywhere like as active have been France, issuing approximately €54m, and the UK, with around €44m. As a whole, these four countries account for almost all the GDPR fines issued to date, with Spain accounting for most of the balance, issuing a total of €14m.
Jul-Sep 2021 Issue
Fraser Tennant