Study expects GDPR fines to rise in 2020

According to the law firm’s latest GDPR data breach survey, organizations have made (to date) a total of 160,921 personal data breach notifications to data protection supervisory authorities within the European Economic Area (EEA) since the GDPR came into force on May 25, 2018—an average of 278 per day since the end of January last year.

The Netherlands, Germany, and the United Kingdom had the most data breaches notified for the 20 months since the GDPR came into effect, with 40,647; 37,636; and 22,181; respectively.

These three countries also topped the table for the total number of breach notifications in last year’s report.

The countries with the fewest breaches notified for the full 20-month period were Latvia, Cyprus, and Liechtenstein, with around 173, 94, and 30, respectively. Last year, Cyprus, Iceland, and Liechtenstein were at the bottom. Italy, Romania, and Greece have reported the fewest breaches per capita (Italy, with a population of more than 62 million people, has only recorded 1,886 breach notifications).

Since the GDPR came into effect, total fines under the regime across the entire European Union is so far €114 million (about U.S. $126 million), which is quite low given supervisory authorities enjoy the power to fine up to 4 percent of total worldwide annual turnover of the preceding financial year.

France, Germany, and Austria top the table for the total value of GDPR fines imposed to date with €51 million (U.S. $56.6 million; against Google), €24.5 million (U.S. $27.2 million; against real estate company Deutsche Wohnen) and €18 million (U.S. $20 million; against Austrian Post, the country’s principal mail service provider).

The United Kingdom—which has two massive fines in the pipeline from intention to fine notices it gave to British Airways (U.S. $238 million) and Marriott Hotels (U.S. $129 million) in the summer—has so far issued only one relatively small penalty for £275,000 (U.S. $359,000) in December 2019 to Doorstep Dispensaree for failing to store paper documents (including medical records) securely, despite having received 22,181 personal data breach notifications to date.

Several countries have still not issued any GDPR fines—most notably Ireland, the EU home of many large technoogy firms. Commentators expect that to change this year. Other countries that have so far not issued financial penalties are Finland, Estonia, Iceland, Liechtenstein, Luxembourg, and Slovenia.

DLA Piper expects several more multi-million euro fines this year (not including those awaiting final sign-off in the United Kingdom, which have already dwarfed the current fines total). German data protection authorities, for example, caused quite a stir in October when they published guidelines for calculating GDPR fines. The proposed methodology, if followed, would drive much higher fines.

But the law firm adds that while financial penalties have their place, there are also a range of tools regulators have at their disposal under the GDPR that can be used in conjunction with fines. These include issuing assessment notices, where the regulator can assess whether processing is compliant, and enforcement notices, where the regulator can order a company to take steps to remedy any failure to comply.

Publicly naming and shaming companies that fall foul of the GDPR is also a strong possibility, as is the increased risk of “follow-on” compensation claims, including group litigation which follows a regulatory finding of liability.