It is probably fair to say much of the enforcement focus regarding the General Data Protection Regulation (GDPR) has been on those regulators that have historically talked tough about preserving privacy—namely, data protection authorities (DPAs) in Germany, Belgium, France, and the United Kingdom.

Yet, despite some headline-grabbing penalties, these countries have not shown the kind of enforcement records experts had predicted.

Indeed, since the GDPR came into force, between them they account for just 68 fines—around an eighth of the total 536 issued to date, according to the GDPR Enforcement Tracker. Even Ireland—the European home to Big Tech firms—has issued just four fines, and only one against a tech giant—€450,000 against Twitter—despite pressure to do more.

The story is very different in Spain and Italy.

“Supervisory authorities in the U.K. and France have focused on fewer, higher, headline-making individual fines. The challenge with that approach is it could send the message that unless you are a Silicon Valley giant or a global brand suffering a major security incident, you are unlikely to be sanctioned.”

Diego Ramos, chair of DLA Piper’s data protection and cyber-security practice in Spain

Of the 323 GDPR sanctions issued in 2020, Spain and Italy accounted for over half (133 and 39, respectively). And in terms of the total value of fines issued since the GDPR came into force, Italy tops the table at €69.3 million (U.S. $84 million), according to law firm DLA Piper. Spain is in fifth place with nearly €14.5 million (U.S. $17.6 million)—admittedly, a long way behind Germany, France, and the United Kingdom, whose fine tallies are each three to four times higher.

Nicola Bernardi, chairman of Federprivacy, an Italian association of privacy professionals, says both the Italian and Spanish DPAs have employed a “pragmatic” approach to GDPR enforcement, adding their fines are “largely proportionate” to the level of harm caused and the size of the organization. He also points out that “these regulators have a good record for settling cases quickly and for tackling organizations both large and small.”

Of the 39 fines issued by the Italian DPA in 2020, only three—all against some of the country’s largest telecoms providers (TIM, Wind Tre, and Vodafone Italia)—were in excess of €1 million. Twenty fines were set at €10,000 and below.

Spain’s approach has been perhaps a little more polarized. Of the 133 fines issued last year, only one—against Spanish bank BBVA in December—amounted to a multimillion-euro penalty (€5 million). Many of the others were relatively tame—69 were less than €10,000, for example. Of the 176 fines the authority has issued since GDPR came into force, only four have surpassed €100,000, according to the GDPR Enforcement Tracker.

Experts say there had been suspicion among other EU DPAs that Spain’s regulator was only going after low-hanging fruit, “open-and-shut” cases where GDPR violations were obvious and where the level of penalties would not be contested by the companies being penalized.

The Spanish DPA, however, has hit the ground running this year with a €6 million fine against CaixaBank—its highest so far—and Bernardi believes there are “several more major cases in the pipeline that are likely to result in fines over €1 million.”

Lawyers believe Italy and Spain’s approach of issuing a large number of fines for a wide range of infringements and for varying amounts is likely to send out a very clear message to organizations that “they could be next” and that non-compliance carries a very real risk of sanctions.

GDPR fine leaders

Like Spain and Italy, Romania has utilized a similar tactic of issuing small fines at a frequent pace under the GDPR. The country announced 26 in 2020, none higher than €100,000, according to the GDPR Enforcement Tracker.

“Compared to France and the U.K., Spain and Italy have issued many more fines and sanctions under GDPR,” says Diego Ramos, chair of DLA Piper’s data protection and cyber-security practice in Spain. “In contrast, the supervisory authorities in the U.K. and France have focused on fewer, higher, headline-making individual fines. The challenge with that approach is it could send the message that unless you are a Silicon Valley giant or a global brand suffering a major security incident, you are unlikely to be sanctioned.”

Another drawback with that approach, he says, is that “larger fines are also more likely to be appealed, straining the limited resources of the regulators’ enforcement teams and limiting their ability to issue more sanctions.”

Jane Sarginson, barrister at law firm St Philips Chambers, is unconvinced the number of fines or size of penalties actually matter. She questions whether the approach taken by the Spanish and Italian DPAs makes any more sense than those taken by other DPAs.

Instead, she believes the best way to determine which countries may have the best approach to the GDPR are “those with the best rates of breach notifications and complaints per capita,” as this demonstrates the level of cultural understanding citizens have about privacy and potential data violations. According to DLA Piper’s research, Denmark, the Netherlands, and Ireland are way out in front. Spain and Italy, meanwhile, are languishing among the bottom six countries (the others being Czech Republic, France, Croatia, and Greece).

Sarginson adds other enforcement measures—such as warnings, reprimands, ordering changes to processes, and banning data processing—could act as better deterrents than fines. She also believes the real measure of any regulator’s success is whether it has managed to change the culture around data privacy to ensure compliance and encourage self-reporting. So far, she says, it is difficult to tell.

“The application of GDPR, or the way in which it has been implemented and enforced across the EU, is varied,” she says. “Until such time as those variations are reduced to an extent that a true comparison of one state against another can be made, opinions over an individual state’s approach to enforcement is largely conjecture.”