DLA Piper GDPR fines and data breach survey: January 2021

This year has been extraordinary in many different ways.  The third annual DLA Piper GDPR fines and data breach survey which we launched today reflects how the current circumstances have affected the privacy landscape across the 31 European countries surveyed.  The report includes key GDPR metrics compiled from data from the 27 EU Member States plus the UK, Norway, Iceland and Liechtenstein.

A theme of this year’s report, in common with our previous reports, is that there is significant variance in compliance and enforcement practice across the countries surveyed.  The level of individual fines imposed, the aggregate values of fines per country and the number of personal data breaches notified per country all varied widely.  As our weighted rankings of the number of personal data breaches notified per 100,000 capita demonstrate, there are notable cultural differences in the approach to breach notification with France and Italy, both with populations in excess of 60 million people, ranking well down the table.

There has also been year on year double digit growth in both the aggregate value of fines issued – for a wide range of alleged infringements of GDPR – and in the number of personal data breaches notified since 28 January 2020.

A total of EUR158.5m (USD193.4m / GBP142.7m) in fines were imposed in the period from 28 January 2020, a 39% increase on the previous 20 month period since the application date of GDPR on 25 May 2018.  On average 331 personal data breach notifications were made per day since 28 January 2018 compared to 278 breach notifications per day for the previous year.

Commenting on the new report, Ross McKean, partner and Chair of the UK Data Protection and Cybersecurity Practice at DLA Piper said:

“Fines and breach notifications continue their double digit annual growth and European regulators have shown their willingness to use their enforcement powers.  They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead.  However we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high profile fines being reduced due to financial hardship.  During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other “third countries” as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”

This year’s report also considers emerging trends and enforcement priorities.  Ewa Kurowska-Tober, partner and Global Co-Chair Data Protection and Cybersecurity at DLA Piper, noted that “many of the fines issued so far clearly indicate a strong emphasis on the transparency principle of the GDPR, fining controllers for allegedly overly complex privacy notices and insufficient granularity, lack of accuracy or missing information.  Regulators have set the transparency bar very high with their interpretations of this requirement, though we note that several of these fines are subject to appeal.  There is still considerable legal uncertainty what the legal standard of care is for transparency.”

Other emerging enforcement trends include, among others, alleged failures to demonstrate a lawful basis to process, lack of appropriate security measures, and breach of the data minimisation and storage limitation principles.

The report is available to download here.