Non-compliant businesses, beware: analysts say that regulators are about to get much tougher with GDPR enforcement.
It’s been two and a half years since the EU started implementing the General Data Protection Regulation (GDPR), and despite a timid start, the new laws are now gathering pace – with only larger fines to come for non-compliant businesses.
A new report from law firm DLA Piper’s data protection team, released to coincide with the Council of Europe’s data protection day, finds that the past year has seen a total £142.7 million ($193.4 million) issued in GDPR-related fines, which is almost a 40% increase compared to the previous 20 months since the new laws came into force. The total reported fines since the GDPR started applying reach £245 million ($332 million).
The number of breach notifications is also growing, with an average of 331 data breaches reported per day over the past 12 months, compared to 278 notifications a day the previous year. In total, there have been more than 281,000 data breach notifications since May 2018.
GDPR-related activity is accelerating fast, therefore, but there are still headwinds blowing against the European rules. “The GDPR is still young,” Ross McKean, chair of DLA Piper’s UK data protection and security group, tells ZDNet. “It is a document still full of ambiguities and inconsistencies that make enforcing it quite difficult, so regulators are treading carefully.”
Although the rules are, in principle, a uniform set to be applied equally to all adhering countries, the reality is different. Equipped with disparate human, financial and technical resources, different nations have different approaches to implementing the laws.
The discrepancies show in the numbers. While Germany is responsible for 77,747 breach notifications since the GDPR launched, for instance, Italy only recorded 3,460 notifications in the same period – a statistic that can also be linked to cultural differences. “It’s not just one GDPR law, it’s a GDPR regulation that is interpreted differently across all of those countries,” says McKean.
Looking at the headline-grabbing fines that have been issued as a result of the GDPR, it is evident that uncertainties still surround the application of the new rules. The UK, for example, holds the spot for the fourth and fifth largest fines imposed for breaching GDPR requirements – but in both cases, the original sum was significantly downgraded as a result of appeals.
British Airways was fined £20 million ($27 million) last year after personal details of hundreds of thousands of customers were stolen by hackers, a 90% reduction from the initial £183.4 million that was put forward, as a result of the impact of the COVID-19 pandemic. For the same reasons, hotel chain Marriott was fined £18.4 million ($25 million), or 20% of its original penalty, after it emerged that information belonging to 339 million guests had been stolen.
The biggest fine imposed to date under the GDPR was issued by French regulator CNIL in 2019, which issued a €50 million ($61 million) fine against Google for a breach of transparency rules.
DLA Piper’s report notes that many open legal uncertainties in the interpretation of GDPR can partly explain why the fines imposed to date have been at the lower end of the scale. One thing is certain: those examples of successful appeals show that regulators “haven’t had it all their own way,” reads the report, despite the overall increase in fines and breach notifications.
According to McKean, however, it is only a matter of time before regulators build up sufficient confidence to enforce GDPR laws more forcefully. “If you look at the maximum amounts that those fines could reach in some companies, you’re in the billions,” says McKean. “It will be a while before we get there. It’s still early days, but the fines are only headed one way, and we are probably a few years away from the big fines to start coming through.”
And although the sums are, for now, only a percentage of what they could be, McKean argues, the deterrent effect of the GDPR should not be underestimated.
“We have the undivided attention of…