Fines under the General Data Protection Regulation (GDPR) are becoming more frequent and more punitive, according to research released Thursday.

Law firm CMS’s second annual “Enforcement Tracker Report” analyzes all publicly available information in relation to GDPR fines across the European Union. According to the report, data protection authorities (DPAs) issued a total of 287 known GDPR fines between March 2020 and March 2021. This amounts to a 120 percent increase on the 239 penalties issued total (since May 2018) prior to March 2020.

The most common violation is the illegal processing of personal data, accounting for 38 percent of all fines tracked since May 2018 and 6 of 10 of the highest penalties across the European Union. CMS says this shows companies are still struggling to manage the legal uncertainty in GDPR interpretation and application.

Data security ranked second among violations at 21 percent of fines.

Almost a third of all fines have been issued by the Spanish DPA, followed by Italy, Romania, and Hungary.

Since the GDPR came into force, industry and commerce, media, telecommunications, and broadcasting companies account for 40 percent of all fines issued, according to the report. The highest average fines (as opposed to numbers of fines) have come against the accommodation and hospitality, transport, and energy sectors.

DPAs are cracking down on illegal video surveillance, with 70 percent of fines issued to the hospitality industry relating to this type of violation, the report states. Direct marketing activities—such as spam emails and “nuisance” sales calls—also accounted for a significant proportion of fines.

Michael Kamps, partner at CMS, says analyzing GDPR penalties “shows the relevant differences in DPA fining practice between jurisdictions.”

“Even though fully harmonized, there is hardly another area that is shaped more by national laws and the respective watchdog’s practice than GDPR fines and enforcement,” says Kamps.

CMS’s research also found it might be worthwhile for companies to contest fines. The last year saw both British Airways and Marriott International receive significant reductions on their proposed fines from the U.K. Information Commissioner’s Office, while Deutsche Wohnen managed to have a €14.5 million fine voided in a Berlin court.

“DPA opinion is not necessarily the last word,” says Kamps. “DPAs, as well as courts in various countries including the U.K. and Germany, have significantly reduced fines. Apparently, it is not over till the fat lady sings.”