GDPR: $126 Million in Fines and CountingMore than 160,000 Data Breaches Reported to EU Regulators, DLA Piper Finds
Since the EU's General Data Protection Regulation went into full effect, European data protection authorities have received more than 160,900 data breach reports, according to the law firm DLA Piper.
From when GDPR went into full effect on May 25, 2018, until Friday, EU data protection authorities also imposed €114 million ($126 million) in fines under the privacy regulation for a wide variety of infringements, not all involving data breaches.
"France, Germany and Austria topped the rankings for the total value of GDPR fines imposed with just over €51 million [$57 million], €24.5 million [$27 million] and €18 million [$20 million] respectively," DLA Piper says. "The Netherlands, Germany and the U.K. topped the table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 notifications each."
The report doesn't count the U.K. Information Commissioner's Office stating that it intends to fine Marriott International $130 million and to fine British Airways $239.5 million for data breaches that occurred after GDPR went into full effect, since those penalties have yet to be finalized.
GDPR: Maximum Penalties are Serious
Clearly, however, GDPR has been reshaping the data breach and privacy discussion in Europe, says Ross McKean, a partner at DLA Piper who specializes in cyber and data protection, although regulators have yet to use their full fining power.
"The total amount of fines of €114 million imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement," he says. But he predicts that multi-million euro fines will become more common in the coming year as regulators build on past enforcement efforts and find their footing.
Any organization worldwide that violates the privacy regulation faces fines of up to 4 percent of their annual global revenue or €20 million ($22 million) - whichever is greater - as well as other potential sanctions, such as losing their ability to process personal data. Separately, organizations that fail to comply with GDPR's reporting requirements also face fines of up to €10 million ($11 million) or 2 percent of annual global revenue.
Also, organizations face a 72-hour deadline for alerting authorities whenever they learn of a breach that may have exposed Europeans' personal data. Some regulators, for example in the U.K., have said that with such a notification, they expect to see solid details about what happened and the likely impact on victims.
But not all regulators have issued such guidance. "It’s likely going to take a few more years for guidance and enforcement practice across Europe to make it easier to tell when a breach is - or is not - notifiable, though the test is likely to continue to vary from country to country," McKean says.
The new research into data breach notifications and fines updates a previous study from DLA Piper, which reviewed GDPR's first eight months. That study found that data breach notifications in Europe averaged 247 per day, which the new study finds have risen by 13 percent to 278 notifications per day for the past year (see: Data Breach Reports in Europe Under GDPR Exceed 59,000).
As with the prior report, the new report comes with some caveats.
DLA Piper's latest report gathers data from most - but not all - countries in the European Economic Area, which includes all 28 EU member states as well as Iceland, Liechtenstein and Norway, which also comply with GDPR.
But not all countries have shared GDPR enforcement action information. "Bulgaria, Croatia, Portugal, Slovakia did not provide any data on breach notifications," DLA Piper says, and Croatia provided no information on any GDPR fines it has levied. "Many of the other countries surveyed only provided data for part of the period covered by the report so - as noted in the report - we had to extrapolate," which also explains why the report's count of data breach notifications covers the time period running from May 25, 2018, to Jan. 27, 2020.
Germany, for example, has 16 state data protection supervisory authorities, as well as a federal supervisory authority. But four of the state-level ones "either provided incomplete data or no data so we have extrapolated data for these states based on the data provided by other state supervisory authorities," DLA Piper says.
Reported Breaches Per Capita: Wide Variation
One notable finding in the report is that there's a wide variation in the data breach notifications per capita. The Netherlands, for example, over the past year reported 147.2 data breaches per 100,000 residents, while Germany reported 31.2, the U.K. 17.8 and Greece only 1.5.
Multiple factors appear to account for that variation, DLA Piper's McKean tells Information Security Media Group.
"GDPR is interpreted quite differently across Europe. Although it’s the same legal text, as it is principle-based and open to interpretation, that’s exactly what has happened in practice," he says. "Some regulators have interpreted the trigger for notification at a lower level than other regulators. In the U.K., the Information Commissioner - receiving over 1,000 breach notifications per month - is encouraging controllers to consider whether a security breach really does meet the threshold for notification, or not. That approach seems to have suppressed the number of notifications in the U.K., relative to other countries."
Indeed, some countries have been reporting what appear to be relatively low numbers of breaches, based on their population. "Third from the bottom of the weighted notifications per capita table is Italy, a country with a population of more than 62 million, which has reported only 1,886 data breach notifications," he says.
As this demonstrates, GDPR is still in its infancy, and regulators continue to hone their approach.
Patrick Van Eecke, chair of DLA Piper's international data protection practice, says organizations that must comply with GDPR are waiting to see greater consistency from different countries' data protection authorities, but that it may be a long time coming.
"The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers," he says. "We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years."