Record-breaking New Fines
This year has seen two record breaking GDPR fines.
6
The first was imposed by the Luxembourg data protection supervisory authority against a US based online retailer and e-commerce platform for EUR746m (USD843m/ GBP619m). The second was imposed by the Irish Data Protection Commission on WhatsApp Ireland Limited for EUR225m (USD254/GBP187m). Both fines are subject to ongoing appeals.
7
Sevenfold Increase in Value of Aggregate Fines Imposed
This year supervisory authorities across Europe have issued
8
a total of EUR1.087bn (USD1.23bn/GBP0.9bn) in fines since 28 January 2021, which is a sevenfold increase on the total of EUR158.5m (USD179m/ GBP132m) issued in the year from 28 January 2020. Much of this increase is due to the two record-breaking fines referenced above. Fines may be grabbing the headlines but the Schrems II judgment and its profound implications for data transfers continues to be a major challenge for organisations caught by GDPR.
Country Aggregate Fines League Table
It’s all change at the top of this year’s country league table for the aggregate fines imposed to date with Luxembourg and Ireland replacing Italy and Germany in the top two spots and Italy moving down to third place with EUR746m (USD843m/ GBP619m), EUR226m (USD255m/ GBP188m) and EUR79m (USD89m/ GBP66m) respectively.
Significant Increase of Breach Notifications
The trend of increasing numbers of data breach notifications has also continued over the last year. For the year commencing 28 January 2021, there have been more than 130,000 personal data breaches notified to regulators and on average 356 breach notifications per day, an 8% increase on last year’s daily average of 331 notifications.
9
Successful Appeals
This year has also seen some successful appeals against decisions and penalties imposed by data protection supervisory authorities. Notably, the German data protection supervisory authorities are continuing to find difficulties in making fines stick. The headline EUR14.5m (USD16.4m/ GBP12m) fine imposed by the Berlin data protection supervisory authority against Deutsche Wohnen SE for alleged infringements of the storage limitation principle was held to be invalid by the Regional Court of Berlin on the basis that the Berlin DPA failed to specify acts of the management of Deutsche Wohnen SE which were in breach of GDPR and therefore did not satisfy the requirements of the German Act on Regulatory Offences.
10
The public prosecutor in consultation with the Berlin DPA has now appealed the Regional Court’s decision. This follows a decision by the Bonn Regional Court in November 2020 reducing a EUR9.6m (USD10.8m/GBP8m) fine against 1&1 Telecom on the basis the original fine was “unreasonably high”. As noted in last year’s survey following the 90% and 80% reductions of the fines originally proposed by the UK ICO for two data breaches, given there is so much legal uncertainty and so many open legal questions concerning GDPR, it often pays to appeal and to mount robust challenges to proposed regulatory sanctions.