EU regulators dish out record €1.1bn in fines for GDPR breaches in 2021
The total value of fines dished out by EU authorities for breaches of GDPR has risen to record highs of almost €1.1bn (£0.9bn), after jumping sevenfold between 2020 and 2021.
EU authorities dished out a record €1.087bn worth of fines last year – a sevenfold increase on the € 158.5m worth of fines handed out to rule-breakers in 2020.
The record-breaking high comes after the Luxembourg’s data protection authorities imposed a €746m fine on an unnamed US e-commerce platform in 2021, according to analysis from DLA Piper.
In the same year, Ireland’s Data Protection Commission (DPC) imposed a €225m on WhatsApp Ireland, whilst French regulators imposed a €50m fine on Google.
The General Data Protection Regulation (GDPR) was brought by the European Union in April 2016, and became enforceable in May 2018.
As set out in the law, EU data protection watchdogs can impose fines of up to €20m, or of a sum equivalent to 4% of the breacher’s worldwide revenues for the previous financial year – going with whichever figure is higher.
Last year’s record-breaking fines come as a number of regulators across Europe, including the UK, Luxembourg, and Ireland, have opted to impose a small number of huge fines on a tiny set of high-profile rulebreakers.
By contrast, regulators in countries including Spain and Italy have instead chosen to issue a large number of small fines on a much large set of companies.
In a report, DLA Piper said that “while large fines attract lots of media attention and can act as a powerful deterrent, they also consume significant resources to investigate, enforce and to defend any appeals, particularly when the defendant organisations are large and well-resourced multinationals.”
On the rise
The record €1.1bn sum comes after the number of breach notifications jumped 8% between 2020 and 2021, to a total of more than 130,000 last year – equivalent to 356 breach notifications per day in 2021 compared to 331 per day in 2020.
On a per capita basis, the Netherlands had the highest number of breach notifications, with 150.71 breach notifications per person, followed by Liechtenstein (136.02), Denmark (130.6), Ireland (130.19), Finland (85.59), and Germany (79.42).
In an email to City PM, Ross McKean, Chair of DLA Piper’s UK Data Protection and Security Group, said: “The difference in breach notifications per capita is typically driven by differences in the culture of reporting.”
“The Netherlands had some of the strictest domestic breach notification laws of any EU Member State before GDPR applied so organisations got into the habit of ‘if in any doubt, report.”