DLA Piper GDPR Fines and Data Breach Survey: January 2023A report produced by DLA Piper’s cybersecurity and data protection team
Data protection supervisory authorities across Europe have issued a total of EUR1.64bn (USD1.74bn/GBP1.43bn) in fines since 28 January 2022. A year-on-year increase in aggregate reported GDPR fines of 50%.
This figure is taken from DLA Piper’s latest annual General Data Protection Regulation (GDPR) Fines and Data Breach Survey of the 27 European Union Member states plus the UK, Norway, Iceland and Liechtenstein. This is more than double the aggregate value of fines issued in 2021. The increase demonstrates data protection supervisory authorities’ growing confidence and willingness to impose high fines for breaches of the GDPR. It has also been influenced by use of the GDPR’s cooperation and consistency mechanisms and the European Data Protection Board which has repeatedly demanded significant increases to fines proposed by Member State data protection supervisory authorities. On average, fines referred to the EDPB during 2022 for a ruling were increased by 630%.
“There has been a spate of Irish Data Protection Commission fines arising from behavioural advertising practices. These have the potential to be every bit as profound for the future of the grand bargain struck between online service providers and consumers as Schrems II has been for international data transfers.”
Chair of the UK Data Protection and Cybersecurity Group
As predicted in last year’s survey, ad-tech and behavioural advertising were a top enforcement priority this year. The Meta group were on the receiving end of some of the very largest fines with the Irish Data Protection Commission issuing penalties of EUR210m (USD223m/GBP183m) against Facebook and EUR180m (USD191m/GBP157m) against Instagram in relation to their profiling practices.
Commenting on the survey findings, Ross McKean, Chair of the UK Data Protection and Cybersecurity Group said:
“There has been a spate of Irish Data Protection Commission fines arising from behavioural advertising practices. These have the potential to be every bit as profound for the future of the grand bargain struck between online service providers and consumers, which has funded most of the free to use internet we know today, as Schrems II has been for international data transfers.”
Ireland dominates the top ten largest fines, with five of the top ten fines issued by the Irish Data Protection Commission. Ireland is also now at the top of this year’s country league table for the aggregate fines imposed to date, with fines now totaling over EUR1.0bn (USD1.06bn/GBP0.87bn).
After four consecutive years of growth, the annual aggregate number of data breach notifications fell for the first time this year. A total of approximately 109,000 personal data breaches were notified to regulators since 28 January 2022, a decrease on last year’s total of approximately 120,000. This might suggest that organisations are becoming more wary of notifying breaches for fear of investigations, enforcement, fines and compensation claims that might follow.
“A proportionate, risk based approach to the interpretation of GDPR’s restrictions on international transfers of personal is not just permitted but in our view is legally required.”
Global Co-Chair Data Protection and Cybersecurity
There have been some notable decisions made by data protection supervisory authorities this year considering the application of the Schrems II and Chapter V GDPR requirements to specific transfers. Data protection supervisory authorities have argued that it is not possible to adopt a risk-based approach when assessing transfers of personal data to “third countries”, in essence arguing that transfers are prohibited if the mere possibility of foreign governmental access gives rise to any risk of harm (however trivial and however unlikely).
Commenting on the survey, Ewa Kurowska-Tober, Global Co-Chair Data Protection and Cybersecurity at DLA Piper said:
“A proportionate, risk based approach to the interpretation of GDPR’s restrictions on international transfers of personal is not just permitted but in our view is legally required. Adopting an “absolutist” approach to transfer restrictions and effectively outlawing any transfer of personal data, however trivial the risk of harm, risks causing real lasting harm to consumers by restricting transfers which underpin many of the progressive technologies and services which benefit our digital society. We hope that supervisory authorities reconsider the absolutist approach taken in some of the early enforcement decisions relating to international transfers.”
The survey also reports a growing trend among European data protection supervisory authorities to openly grapple with AI issues, recognising the inextricable link between AI systems and personal data. The survey predicts more AI law, guidance and enforcement, including by data protection supervisory authorities, in the year ahead.