Report: GDPR fines surpass $1B in 2021; breach notifications also rise

The figure, totaled since Jan. 28, 2021, represents nearly seven times the €158.5 million (U.S. $179.5 million) fine amount for the previous year.

Two penalties—Luxembourg’s €746 million (U.S. $845 million) fine against Amazon and Ireland’s €225 million (U.S. $255 million) fine against WhatsApp—account for nearly €1 billion of the total from 2021, showing data protection authorities (DPAs) are beginning to issue the kind of attention-grabbing sanctions initially expected under the privacy law.

Yet, DLA Piper noted Italy and Spain still lead the way regarding number of fines issued, leaving an “open question” over which approach is most effective at driving better compliance.

Beyond the increases in fine totals, the law firm believes the greatest data protection compliance challenge for companies is ensuring data transfers between the European Union and third countries are compliant with the July 2020 “Schrems II” judgment, which held data can only be transferred out of the European Union if the origin country can guarantee the same level of data protection as the GDPR. The ruling does not just create a risk of fines and claims for compensation—it also threatens service interruption in the event data transfers are suspended, with serious implications for business continuity.

“The threat of suspension of data transfers is potentially much more damaging and costly than the threat of fines and compensation claims,” said Ross McKean, chair of the U.K. data protection and security group at DLA Piper. “The focus on transfers and the significant work required to achieve compliance inevitably means organizations have less time, money, and resources to focus on other privacy risks.”

Businesses can expect to face scrutiny around data transfer compliance in the context of audits, due diligence, procurement processes, and other compliance verification exercises throughout 2022, DLA Piper predicted. Several EU DPAs—notably in Belgium, Germany, Greece, and Ireland—are conducting ongoing investigations into how exporters are complying with international data transfer restrictions.

Among other GDPR-related compliance challenges companies need to contend with, the law’s transparency principle around how—and why—personal data is used and shared will remain an enforcement priority for supervisory authorities across the European Union, according to DLA Piper. There has also been a “notable uptick” in fines following investigations by supervisory authorities of inadequate security measures at companies as cyberattacks have increased during the pandemic.

The law firm also warned, “There will be significantly more complaints, investigations, and enforcement activity this year in relation to cookies and similar tracking technologies.”

In 2021, there was an 8 percent increase on the previous year’s average of 331 breach notifications per day to 356, with more than 130,000 personal data breaches notified in aggregate since Jan. 28, the report noted.

Despite trends toward tougher enforcement, the research suggested companies might want to challenge any GDPR penalties they receive. German property company Deutsche Wohnen’s successful appeal of its €14.5 million (U.S. $16.4 million) fine last March showed judgments are not infallible, while massive reductions to fines against 1&1 Telecom in Germany and British Airways and Marriott in the United Kingdom during 2020 are further proof legal challenges can pay off.

“Given there is so much legal uncertainty and so many open legal questions concerning GDPR, it often pays to appeal and to mount robust challenges to proposed regulatory sanctions,” DLA Piper said in its report.