Europe has seen a dramatic surge in potential privacy violations being reported since new rules came in that force organisations to provide better data protection.
In the eight months since Europe’s toughened data privacy regime came into effect last May there have been over 59,000 data breach notifications reported across the European Economic Area (EEA).
These range from “minor” incidents, such as sending e-mails to the wrong recipient, to “major” hacks involving millions of users’ details.
According to law firm DLA Piper’s GDPR Data Breach survey, most of the reported breaches under the EU General Data Protection Regulation (GDPR) were made in The Netherlands (15,400), Germany (12,600), and the United Kingdom (10,600). The countries with the lowest numbers of reported breaches were Cyprus (35), Iceland (25), and Liechtenstein (15).
As yet there is no publicly available data for Croatia, Slovakia, Estonia, Lithuania, or Bulgaria.
“We anticipate that regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm to individuals. We can expect more fines to follow over the coming year as the regulators clear the backlog of notifications.”
Sam Millar, Partner, DLA Piper
The Netherlands is also the most likely country in the EEA to file a GDPR complaint (in terms of number of complaints compared to population size), followed by Ireland and Denmark. Greece, Italy, and Romania, meanwhile, reported the fewest number of breaches per capita.
So far, only 91 fines have been reported. Not all of these relate to personal data breaches, and several relate to other infringements of GDPR. The highest GDPR fine imposed to date is €50 million (U.S. $56.7 million), which the French data protection regulator made against Google in January regarding how the internet company processed personal data for advertising purposes without valid authorisation.
Besides a couple of cases in Germany where fines of €80,000 and €20,000 were imposed, however, most fines have been low value. For example, a retail establishment in Austria received a €4,800 fine (U.S. $5,435) for operating a CCTV system that captured too much of a public sidewalk. Meanwhile, Cyprus has reported four fines with a total value of €11,500 (U.S. $13,022).
Sam Millar, a partner at DLA Piper specialising in cyber- and large-scale investigations, says that despite the “landmark” penalty against Google for improper data use, regulators will regard breaches of personal data equally seriously too.
“We anticipate that regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm to individuals,” says Millar. “We can expect more fines to follow over the coming year as the regulators clear the backlog of notifications,” he adds.