The European Data Protection Authority has imposed € 1.1 billion ($ 1.2 billion) in fines under the General Data Protection Regulation (GDPR) since January 28, 2021, according to the international law firm DLA Piper’s annual GDPR fines and data breach survey.
The survey – which covers 27 members of the European Union, members of the European Economic Association Norway, Iceland and Liechtenstein, and now the former EU member of the United Kingdom – increased fines sevenfold in 2021.
The year recorded the all-time high fines imposed by Luxembourg and Ireland, placing Italy and Germany in the top two in the list of overall fines. Luxembourg and Ireland were fined € 746 million ($ 843 million) and € 226 million ($ 255 million), respectively, pushing Italy into third place with € 79 million ($ 89 million) in fines.
In addition, the Luxembourg National Commission for Data Protection (CNDP) has become the highest issuer of a single GDPR fine to date, with US-based online retailer imposing a 746 million fine on Amazon. This is 14 times higher than the previous single fine of € 50 million ($ 57 million) imposed by France on Google in 2019.
The Schrems II judgment initiated an increase in GDPR fines
Strict regulations under the European Court of Justice have been widely blamed for nearly seven-fold increase in fines this year. Schrems II judgment. “The Schrems II judgment and its profound implications for data transfer have established themselves as a top data security compliance challenge for many organizations covered by the GDPR,” said Ross McKin, chairman of the UK Data Protection and Protection Group.
The Schreims II ruling invalidated the European Commission’s Privacy Shield decision, which affected data transfers between the EU and US businesses due to the aggressive US surveillance program. The Privacy Shield Framework was intended to legally transfer personal data from the EU to the United States while complying with certain data protection protections. The transfer of personal data is now possible only through the provisions of the Standard Agreement, which sets out the level of data-protection equivalent to the GDPR and the EU’s Fundamental Rights Charter.
The Schrems II ruling effectively shifts the problem and burden of a fundamental conflict of law from politicians and lawmakers to data exporters and importers, says Eva Kuroska-Tobar, global coach of DLA Piper’s Data Protection and Protection Group. “What is really needed is a solution to the underlying conflict of law, rather than imposing an unrealistic burden on business, and another headwind for international trade as we emerge from the global epidemic,” he said.
Reports of growing violations across Europe
The DLA Piper survey also noted a growing trend in Europe for the third year in a row over the number of notifications of daily data breaches.
As of January 28, 2021, more than 130,000 personal data breaches have been reported to regulators, with an average of 356 breach notifications per day. This is an 8% jump from 331 notifications by 2020.
The Netherlands reported an average of 150.7 violations per day, the highest number per 100,000 people surveyed. Greece, Czech Republic and Croatia have the lowest per capita violations since 2018.
Copyright © 2022 IDG Communications, Inc.