The EU’s GDPR means that fines are on the rise

There have been over 160,000 data breach notifications across Europe since the GDPR came into force in May 2018 which has resulted in $126 million in fines.

The countries to have received the highest fines are France (€51 million), Germany (€24.5 million) and Austria (€18 million). The Netherlands, Germany and the UK are the countries which ranked the highest for number of data breaches reported to regulators. Notwithstanding this, the highest single fine to date was the €50 million imposed on Google by the French data protection regulator CNIL. However, these related to the alleged breaches of the transparency principle, which requires any information addressed to the public to be concise, easily accessible and easy to understand and lack of consent rather than a data breach.

Under GDPR, a company can be fined up to €20 million or 4% of their global annual turnover of the preceding year, whichever is greater, for severe violations. Therefore companies such as Facebook, Google and Twitter which handle large amounts of data have a considerable burden placed on them to ensure that they comply with GDPR in order to avoid the sizeable fines which could be imposed on them by regulators. In July 2019, the UK’s Information Commissioner’s Office (ICO) issued notices of intent to impose fines on Marriott International for £99 million and British Airways for £183.39 million for data breaches under the GDPR. As yet, these fines have not been finalised demonstrating the slow start to the regulatory process. The GDPR has only been in effect for about 20 months. This is an insufficient amount of time for regulators to develop an effective and concise enforcement process. Overtime, it is highly likely that we will see the number of fines being imposed increase as regulators will make full use of their powers as clarity in this area of law develops.

Moving forward, it is expected that the number of fines being issued will increase in correlation with the increase in the daily rate of breach notifications, which has increased from 247 notifications per day (the average during the first eight months of the GDPR) to 278 breach notifications per day.

If you require legal assistance regarding the GDPR, then please do not hesitate to contact Christopher Buck, Associate Partner in our Business Services Department, on 01908 660966 / 01604 828282 or at christopher.buck@franklins-sols.co.uk.