Europe's privacy overhaul has led to $126 million in fines - but regulators are just getting started
The EU’s GDPR privacy law led to over 160,000 data breach notifications, according to law firm DLA Piper. The biggest penalty under GDPR to date was a fine of 50 million euros imposed on Google, DLA Piper says. DLA Piper Partner Ross McKean says there will be “slow progress” before much bigger fines are imposed.
The European Union’s overhaul of data privacy regulation is estimated to have generated 114 million euros ($126 million) in fines since it was introduced almost two years ago.
Since its implementation in May 2018, the General Data Protection Regulation (GDPR) led to over 160,000 data breach notifications across Europe, according to research from multinational law firm DLA Piper.
Ross McKean, a partner at DLA Piper specializing in cyber and data protection, said his firm’s findings showed “we’re still in the very early days” of enforcement. It’s been roughly 20 months since the EU’s new rules were introduced.
“It’s not a huge surprise that we’re seeing a slow start to fines, but there’s more to come,” McKean told CNBC in an interview.
The biggest fine under GDPR to date was a penalty dished out by the French data protection regulator. The CNIL fined Google 50 million euros last year for alleged infringements of GDPR. Those infringements were related to transparency and a lack of valid consent, rather than a data breach.
Under GDPR, a company can be fined either 20 million euros or up to 4% of their annual revenues, whichever is the greater amount. The stakes are considerably high for companies like Google and Facebook, which handle a huge amount of data and make billions of dollars every year.
Authorities have been looking into potential violations of the landmark EU law across the continent. Ireland’s Data Protection Commission has multiple ongoing investigations into GDPR violations, probing a range of big tech companies from Facebook to Apple.
Britain’s Information Commissioner’s Office last year announced notices of intent to impose fines on British Airways and Marriott International, collectively amounting to about £282 million, but DLA Piper points out that both penalties are yet to be finalized.
The regulator also fined Facebook £500,000 ($651,000) over the Cambridge Analytica scandal, but that pertained to privacy violations that took place before GDPR was introduced.
Cambridge Analytica, which once claimed to have run all the digital operations for President Donald Trump’s 2016 presidential campaign, found itself at the heart of a massive privacy headache for Facebook in 2018. The social network improperly shared the data of 87 million users with the now-infamous — and defunct — U.K. political consultancy.
DLA Piper said that the rate of data breach notifications increased almost 13% from the first eight months of GDPR to the current year.
The firm notes that not all member states of the EU make their breach notification statistics publicly available and that many only provided figures for part of the period covered by the report. It therefore rounded up the numbers and, in some cases, had to extrapolate to provide accurate approximations.
GDPR has been a point of notable frustration for Europe’s data protection authorities, as well as businesses. While the regulators have the power to levy sizable fines, DLA Piper’s McKean said that some may be put off doing so as they’re often under-resourced and wary of being faced with appeals.
Labelling GDPR a “vague law,” McKean said: “It is going to be a slow progress to get the legal certainty regulators need to start whacking companies with higher fines.”