POLITICS & INSTITUTIONS - ECONOMY

€114m in GDPR penalties, but €0 in Lux: DLA Piper



shutterstock_558334390.jpg

 G0d4ather/Shutterstock.com

There have been more than 160,900 reported personal data breaches following the introduction of the EU’s General Data Protection Regulation.

Across the European Economic Area, that comes out to “on average 247 breach notifications per day,” according to a report issued by DLA Piper, a law firm.

Luxembourg recorded a total of 545 notifications between 25 May 2018 and 27 January 2020, including 345 from 28 January 2019 to 27 January 2020 and 200 from 25 May 2018 to 27 January 2019, the report said.

The most notifications were filed, unsurprisingly, in larger EEA countries--the Netherlands (40,647), Germany (37,636) and UK (22,181) topped the table--and in Ireland (10,516), home to a large number of data centres and internet operations.

Luxembourg rate on higher side

In the grand duchy, there were 56.97 data breaches per 100,000 people between 28 January 2019 and 27 January 2020. That is the sixth highest rate out of the 27 European countries in the DLA Piper study.

Luxembourg ranked behind the Netherlands (147.2 data breaches per 100,000 people), Ireland (132.52), Denmark (115.43), Iceland (91.15) and Finland (71.11). The countries with the lowest proportion of reported data breaches were France (3.2), Spain (2.08), Italy (2.05), Romania (1.9) and Greece (1.5).

Regulatory penalties

No GDPR fines were levied in Luxembourg between 25 May 2018 and 17 January 2020, DLA Piper reported.

France imposed the largest total amount of GDPR fines: €51.1m (although this includes a €50m fine on Google for breaking transparency and consent rules). German data protection agencies handed out at least €24.5m in penalties, while the figure was €18.1m in Austria, €11.6m in Italy and €3.2m in Bulgaria.

Ross McKean, a partner at DLA Piper, stated in a press release:

“GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations. The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”

Patrick Van Eecke, chair of DLA Piper's international data protection practice, stated in the same announcement:

“The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years.”

The report covers the EEA, which consists of the EU28, Iceland, Liechtenstein and Norway. But DLA Piper noted that not all national and regional data protection agencies release notification statistics, so these figures are potentially incomplete and some were extrapolated.

The “DLA Piper GDPR data breach survey: January 2020” report was released on Monday.