Since the implementation of the General Data Protection Regulation, violation notifications and fines have faced a double-digit annual growth at European level, according to law firm DLA Piper.

Since the application of the General Data Protection Regulation (GDPR) in the European Economic Area on 25 May 2018, 272.5 million euro of fines have been imposed for a wide range of infringements of Europe’s tough data protection laws.

DLA Piper, an international law firm, has issued the figure in its latest report on annual General Data Protection Regulation (GDPR) fines and data breach.

The survey covers the 27 European Union Member States plus the UK, Norway, Iceland and Liechtenstein.

“Companies have a duty to introduce internal data management and protection measures. Beware of those who do not respect their obligations,” warns Gaëlle Lipinski in-house Legal Adviser and Data Protection Officer, at the Luxembourg Chamber of Commerce.

The National Data Protection Commission (CNPD), Luxembourg’s independent public institution in charge of data protection monitoring, has received 920 data breaches notifications since 2018. The country ranks 18 overall in the survey. It has issued no fines to date.

According to DLA Piper, Italy’s regulator tops the rankings with a total of fines of 69.3 million euro, followed by Germany (69.1 million euro) and France (54.4 million euro).

Cultural approaches

“Fines and breach notifications continue their double-digit annual growth and European regulators have shown their willingness to use their enforcement powers,” Olivier Reisch, Partner of DLA Piper’s Luxembourg Intellectual Property & Technology, explains.

“They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead”.

During the period, more than 281,000 data breaches have been notified to national regulators. Germany (77,747 notifications), The Netherlands (66,527) and the UK (30,536) top the table for the number of data breaches notified to regulators.

Although France’s and Italy’s population amount for over 67 and 62 million people, both countries have respectively recorded 5,389 and 3,460 data breach notifications only, a low number that “illustrates the cultural differences in approach to breach notification,” the survey says.

In 2020, around 331 notifications have been addressed every day to national regulators, a 19% increase compared to the daily 278 breach notifications in 2019.

During the period, however, “regulators have shown a degree of leniency this year in response to the ongoing pandemic with several high-profile fines being reduced due to financial hardship,” Reisch observes.

Record fine for Google

Google has received the highest GDPR fine to date (50 million euro) by the French data protection regulator, for alleged infringements of GDPR’s transparency principle and lack of valid consent.

“Regulators have been testing the limits of their powers this year issuing fines for a wide variety of infringements of Europe’s tough data protection laws,” notes Ewa Kurowska-Tober, Global Co-Chair of DLA Piper’s Data Protection & Security Group.

“But they certainly haven’t had things all their own way with some notable successful appeals and large reductions in proposed fines. Given the large sums involved and the risk of follow-on claims for compensation we expect to see the trend of more appeals and more robust defenses of enforcement action continue”.

Schrem II vs Facebook

For 2021, the international law firm anticipates “the first enforcement actions related to GDPR’s restrictions on transfers of personal data to the US and other ‘third countries’ as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”

On 16 July 2020, the European Court of Justice (ECJ) issued the Schrems II judgement, following a case originated by Maximilian Schrems, an Austrian activist.

Schrem called the Irish Data Protection Commissioner to invalidate Facebook’s Standard Contractual Clauses (SCC) that allowed the social media to transfer personal data to its headquarters in the US.

The personal data, both in transit to and when stored in the US, it was argued, could be accessed by US intelligence agencies. This, according to Schrems, would be in violation of the GDPR and, more broadly, EU-law.

The ECJ invalidated the EU-US Privacy Shield, the international agreement between the EU and the US, which provided for an adequate level of protection of personal data exported to the US.

Silicon Luxembourg, January 2021