2021 saw almost €1.1 billion ($1.2 billion) in financial penalties imposed for violations of the EU’s General Data Protection Regulation (GDPR) by EU Data Protection Authorities, which is more than a 600% increase from the €159 million ($181 million) in penalties in 2020.
The high fine total was largely down to two major financial penalties. The largest GDPR financial penalty of the year, and the largest to date by some distance, was a €746 million ($846 million) penalty imposed by the Luxembourg National Commission for Data Protection on Amazon Europe Core S.a.r.l for noncompliance with the general data processing principles of the GDPR. Ireland’s Data Protection Commission imposed the second largest financial penalty to date – €225 million ($255 million) on WhatsApp for violations of the data processing transparency principles of the GDPR. Both companies are appealing the penalties.
The fines are substantially higher than the previous record fine of €50 million ($56.7 million) imposed by the French Data Protection Authority on Google in late 2020. Those large financial penalties have seen Luxemburg jump to the top of the table for total aggregated GDPR penalties, followed by Ireland, Italy, and Germany.
According to DLA Piper’s GDPR and data breach report, the number of data breach notifications has increased for the third successive year, increasing by 8% in 2021 to 130,000 notifications about breaches of the personal data of EU citizens to EU Data Protection Authorities. On average, 356 data breach notifications were reported to regulators per day in 2021, with the Netherlands having the highest per capita figures of 150.7 data breaches per 100,000 people, with Lichtenstein in second with 136 notifications per 100K citizens, and Denmark with 132.
The report draws attention to a potential compliance risk for organizations complying with the Facebook Ireland and Schrems II judgment. Privacy Activist Max Schrems brought a case against Facebook Ireland which was heard by the EU’s Court of Justice and concerned data transfers between the EU and US. The Court of Justice of the European Union ruled the EU-US Data Privacy Shield that is relied upon by many companies that engage in data transfers between the United States and European Union was invalid due to potential surveillance by US law enforcement agencies.
The judgment means all organizations that engage in data transfers from the EU to the US must complete comprehensive mapping of the transfers and conduct detailed assessments of the legal risks of interception of personal data by federal and state authorities in the US, or other countries where importers are located. That significantly increases the compliance burden and any mistakes expose those importers to considerable risk.
The judgment could result in significant fines being imposed, or arguably far more serious, the suspension of data transfers. While Schrems II was an important ruling, DLA Piper points out that the time and resources that now have to be devoted to compliance with the judgment may mean less time and effort is focused on other potential privacy risks, which could be far more serious for EU citizens.
“What is really needed is a resolution of the underlying conflict of laws rather than imposing an unrealistic compliance burden onto business and another headwind to international trade as we emerge from the global pandemic,” said Ewa Kurowska-Tober, Global Co-Chair of DLA Piper’s Data Protection & Security Group.