vectorfusionart - stock.adobe.co

GDPR nets more than €100m in fines, with more to come

Fines totalling €114m have already been collected under GDPR, and this figure will spike in 2020 if the UK regulator succeeds in imposing record fines on BA and Marriott

Regulators across Europe have imposed fines of €114m (£97.45m) under the European Union General Data Protection Regulation (GDPR) since the rules came into effect, and this figure is set to rise by €329m (£281.3m) if fines against British Airways (BA) and Marriott in the UK are imposed.

This is according to law firm DLA Piper’s latest GDPR breach survey, which studied the impact of the regulations across the 28 EU member states where they apply, as well as Iceland, Liechtenstein and Norway.

With the UK excluded – not due to Brexit, but because its record-breaking fines have not yet been imposed – France, Germany and Austria have imposed the highest fines to date, at €51m, €24.5m and €18m respectively. The largest fine under GDPR so far was for €50m in France, imposed on Google for infringes of transparency and consent principles, not for a specific breach.

The Netherlands, Germany and the UK topped the table for the number of data breaches and other incidents under GDPR notified to their regulators, with 40,647, 37,636 and 22,181 notifications respectively. Italians, meanwhile, reported just 1,186 incidents. On a per capita basis, the Dutch, Irish and Danes reported the most incidents.

“GDPR has driven the issue of data breach well and truly into the open,” said DLA Piper partner Ross McKean, a cyber and data protection specialist.

“The rate of breach notification has increased by over 12% compared with last year’s report, and regulators have been busy road-testing their new powers to sanction and fine organisations. The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement.

“We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity,” said McKean.

Patrick Van Eecke, chair of DLA Piper’s international data protection practice, added: “The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers.

“We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years.”

This said, fines are not the only potential punishment that can be levied on organisations that fall short of GDPR standards. Authorities also enjoy the power to impose sanctions such as naming and shaming, as has been demonstrated in the not-yet-settled cases of BA and Marriott.

DLA Piper also noted the increased ‘risk’ of mass compensation claims, such as group litigation, following regulatory findings of liabilities. Billions of Euros are available to fund such claims and where local laws allow, group claims are now being seen on the basis of alleged breaches of GDPR, particularly in the UK, where “recent claims based on data protection law infringements would be very familiar to US class action lawyers”.

Looking ahead, DLA Piper said it expected some aspects of GDPR to continue to evolve, particularly around what constitutes an appropriate security measure to meet the standards required.

“In the same way that encryption became part of the legal standard of care under the previous regime, we anticipate that we will see other security controls emerge as hard requirements under Article 32 GDPR such as multi-factor authentication [MFA] when processing higher risk personal data,” the organisation said in its report.

“As was the case under the previous regime, we also anticipate that the Payment Card Industry Data Security Standard (PCI DSS) will be deemed to form part of the legal standard of care required by Article 32 GDPR when organisations process payment card information.”

It should be noted that DLA Piper’s report may be somewhat restricted by the fact that not all participating states make their notification statistics publicly available, with a number only providing figures for a part of the period covered by the report. In these instances, the numbers have been rounded up and in some cases extrapolated to provide a best approximation, rather than a statement of fact.

Read more about GDPR

Read more on Privacy and data protection