GDPR Supervisory Authorities Have Received 59,000 Data Breach Reports and Issued 91 Fines

DLA Piper’s new report shows there have been 59,430 data breaches reported to EU regulatory authorities since May 25, 2018 when GDPR compliance started to be enforced. Most of the reported data breaches were from the Netherlands (15,400), Germany (12,600), and the United Kingdom (10,600).

The Netherlands also had the most reported breaches per capita, followed by Ireland and Denmark. That does not mean that those countries have suffered more data breaches per se, as many non-EU companies have registered bases in those EU member states. Data breaches are counted in the total for the country where the EU HQ is established. Numerous non-EU companies, such as Google, Twitter, Facebook and Microsoft, have their European HQ Ireland, for example.

It was a challenge getting precise figures for data breaches. Official EU statistics indicate that only 41,502 data breaches were reported from the compliance deadline to January 28, 2019, but those figures do not include Norway, Iceland, and Lichtenstein, as they’re not EU members but members of the European Economic Area (EEA). The official statistics only included the data breaches of 21 of 28 member states.

For the DLA Piper report, data were taken from the breach reports filed in 23 EU member states and from EEA members. Bulgaria, Croatia, Estonia, Lithuania, and Slovakia did not release official figures on data breaches.

The number of reported data breaches to date seems to be higher than before GDPR came into effect. That doesn’t necessarily mean data breaches have increased. It is more likely that organizations are reporting data breaches more frequently. Data breach reports are also being issued much faster now. GDPR requires breach notifications to be issued within 72 hours of discovering a breach.

Fines Issued for GDPR Violations and Breaches

According to DLA Piper, there have been 91 financial penalties issued for violations of GDPR to date. Besides data breaches, GDPR regulatory authorities investigate complaints about privacy violations. The largest GDPR violation penalty to date was issued to Google by CNIL – €50 million ($57 million) – which was the result of an investigation into a privacy violation rather than a data breach.

Germany’s supervisory authorities have been the most active GDPR enforcers since the May 25, 2018 compliance deadline. Of the 91 fines issued to date, 64 were issued in Germany, including the two biggest financial penalties for data breaches. The German Data Protection Authority LfDI issued a fine of €20,000 ($22,700) to chat platform Cuddles for storing the passwords of users in clear text. LfDI also fined an organization €80,000 ($91,000) for publishing health data online.

Only a few fines were issued as a result if data breaches; although more fines are to be expected. A lot of supervisory authorities have received large numbers of breach notices and have a considerable backlog to clear. Some of those breaches will almost certainly attract a financial penalty.

DLA Piper remarks that most of the fines issued thus far have been much lower than the maximum penalty (€20 million or 4% of global yearly turnover). DLA Piper is expecting several fines of the order of tens or hundreds of millions of euros to be issued in 2019 as a result of GDPR violations and data breaches.