Fines for violations of the European Union’s landmark privacy law have soared nearly sevenfold in the past year, according to new research.
EU data protection authorities have handed out a total of $1.25 billion in fines over breaches of the bloc’s General Data Protection Regulation since Jan. 28, 2021, law firm DLA Piper said in a report published Tuesday. That’s up from about $180 million a year earlier.
Notifications of data breaches from firms to regulators climbed more modestly, by 8% to 356 a day on average.
GDPR has been in force since 2018. The sweeping changes to EU’s data rules are aimed at giving consumers in Europe more control over their information.
Companies are required to obtain clear consent from users before processing their details. And firms must notify authorities about any data breach within 72 hours of first becoming aware of it.
Failure to comply can result in potentially hefty fines — namely, up to 4% of a company’s annual global revenues or 20 million euros ($22.8 million), whichever is the bigger amount.
“GDPR has certainly been effective in making everyone sit up and listen to data protection law and data protection enforcement,” Ross McKean, chair of DLA Piper’s U.K. data protection and security group, told CNBC.
“Prior to GDPR, if you got hit with a fine and you were one of the bigger processors, it was a rounding error, it would barely pay for the Christmas party. Now, you’ve got fines that are close to a billion euros.”
Record fines
Last year saw EU regulators impose record fines under GDPR, with Big Tech taking the brunt of the penalties.
Luxembourg’s privacy watchdog fined Amazon 746 million euros ($850 million) while authorities in Ireland slapped Meta’s WhatsApp with a 225 million euro penalty. Both firms are in the process of appealing the respective fines.
“It takes a while once you introduce large scary fines for regulators to impose those fines,” McKean said. “That’s because investigations take a while. And the law is still full of lots of open legal questions.”
Among those open questions is the issue of cross-border data transfers between the EU and the U.S.
In 2020, the European Court of Justice made a seismic ruling invalidating the use of the Privacy Shield framework, a legal framework for moving data across the Atlantic. The ruling was dubbed “Schrems II,” after Austrian privacy activist Max Schrems, who originally launched the case.
While the Privacy Shield was invalidated, the ECJ maintained the validity of standard contractual clauses, another mechanism for ensuring EU-U.S. data flows are legally sound. However, firms are still scrambling to figure out the implications of the ruling.
The main contention of the ruling is that the U.S. data protection regime is not equivalent with that of the EU.
Legal uncertainty
McKean says a major “headache” for organizations going forward is legal uncertainty surrounding EU-U.S. data transfers.
Standard contractual clauses (SCCs), by far the most popular method for legally processing such transfers, are on “life support,” McKean said, as officials in the EU and U.S. hash out plans for a new data pact to replace Privacy Shield.
Facebook parent company Meta has been caught up in an intense dispute with the Irish Data Protection Commission over the matter. The DPC has ordered Meta to stop using SCCs to send user information from Europe to the U.S., as it investigates the company’s data transfer practices.
Meta secured a temporary freeze on the order, but it was dismissed by Ireland’s High Court, which allowed the watchdog to proceed with its inquiry.
In a notable case recently, Austria’s data protection watchdog said the use of Google Analytics violates GDPR as it potentially exposes users’ data to U.S. intelligence agencies. The decision targets a website publisher using Google’s web analytics service, rather than Google itself.
Like Meta and other large U.S. tech companies, Google relies on SCCs to process EU-U.S. data transfers. At the time, Google said firms using Google Analytics “control what data is collected with these tools, and how it is used,” and that the company provides a “range of safeguards, controls and resources for compliance.”
“Every organization — with some limited exceptions — has an international supply chain and international data transfers,” McKean said, adding the Schrems II ruling has had a “profound” impact on businesses of all shapes and sizes.
In addition to increased legal uncertainty, McKean says he expects to see further appeals of GDPR fines emerge in 2022.