Regulatory fines for data breaches under the General Data Protection Regulation increased by 39% in Europe over the past year to € 158.5 million ($ 192.5 million), according to new research from the law firm DLA Piper LLP.
The company said regulators "Tested their powers" under the GDPR 2020 after a slow start in the first 20 months of the regulation when the fine amounted to 114 million euros.
The total fine imposed since the GDPR was introduced in May 2018 now amounts to 272 million euros, with five national regulators accounting for more than 92% of the total, according to DLA Piper.
Italy has imposed the highest fine at EUR 69.3 million, followed by Germany at EUR 69.1
The report states that there were 281,000 data breaches reported to European regulators under the GDPR at the end of January 2021. Germany has the most at 77,747, followed by the Netherlands at 66,527 and the United Kingdom at 30,536. France and Italy registered only 5,389 respectively. 3,460 reports of data breaches.
DLA Piper said that although regulators are flexing their new muscle under the GDPR, they have also had several cases appealed or fines reduced.
Last month, the Austrian postal service successfully appealed a fine of EUR 18 million. While in the UK, the Information Commissioners Office reduced a record fine of £ 183 million ($ 251.1 million) against British Airways (BA) to £ 20 million . It also reduced a proposed fine of £ 100 million against the Marriott International hotel chain to just over £ 18 million .
Legal arguments against fines are likely to continue, the law firm said.
Ewa Kurowska-Tober, Global Co-Chair of DLA Piper's Data Protection and Security Team, said: “Regulators have tested the limits of their powers this year and imposed fines for a variety of violations of Europe's strict data protection laws. But they have certainly not had things all the way, with some remarkably successful appeals and large reductions in the proposed fines. Given the large amounts and the risk of follow-up claims for compensation, we expect the trend of more appeals and more robust defense of enforcement measures to continue.
Ross McKean, Chairman of DLA Piper's UK Data Protection and Security Group, added: "Fines and infringement reports continue their double-digit annual growth and European regulators have shown their willingness to exercise their enforcement powers. They have also adopted some extremely strict interpretations of the GDPR, which leaves room for hot legal battles in the coming years. ”
Mr. McKean said that DLA Piper now expects the first enforcement measures for the transfer of personal data to the United States and other third-party countries after the case Schrems II . In July last year, the European Court of Justice ruled against the Privacy Shield Agreement, which makes it possible to transfer EU consumer data held by technology companies and other companies to the United States