Data Breach Survey Intro
DLA Piper’s Cybersecurity and Data Protection Team recently published the GDPR fines and data breach survey: January 2022, looking at key GDPR metrics across the European Economic Area and the UK.
The Survey is available for downloading, along with a recording of a webinar in which members of DLA Piper’s Cybersecurity and Data Protection Team discuss the implications of the Survey in more detail.
The key findings of the Survey include:
- a sevenfold increase in GDPR fines, with just under EUR1.1 billion (AUD1.75 billion) in fines being issued by data protection supervisory authorities in the 12 months commencing on 28 January 2020;
- a year of record breaking fines, including a fine of EUR746 million issued by Luxembourg’s data protection supervisory authority against a US online retailer and e-commerce platform; and
- an 8% increase in the number of data breach notifications, with more than 130,000 personal data breaches notified to regulators, an average of 356 per day.
Australian organisations ought to take note of these trends. Whilst fines for privacy breaches do not often make headlines in Australia, with the Office of the Australian Information Commissioner (OAIC) generally preferring a more conciliatory approach, there are signs this may be changing.
The draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 published in September 2021 will, if passed, increase the maximum penalty payable under the Privacy Act 1988 (Cth) from AUD 2.2 million to the greater of AUD10 million, three times the value of the benefit obtained from the relevant conduct or 10% of annual domestic turnover. The delayed Privacy Act review may also result in further changes to the enforcement mechanisms for privacy breaches in Australia, with a direct right of action for individuals and a statutory tort of privacy discussed in the Attorney-General’s Issues Paper.
In what may signal a change of regulatory approach in Australia, the OAIC is currently pursuing Facebook in the Federal Court in respect of the Cambridge Analytica incident. The OAIC is hoping to establish that a separate breach occurred in respect of each of the 311,127 Australian Facebook users affected by this incident, which would increase the quantum of the penalty payable by Facebook to match those attracting headlines under the GDPR.
Regardless of the outcome of the Facebook proceedings, there is likely to be an even greater focus on data breaches and privacy compliance generally throughout 2022. To the extent that any Australian organisations do not currently view compliance with the Privacy Act as a material risk for their business, now is time to re-examine that approach.