Europe’s data protection regulators issued over €1bn ($1.1bn) in GDPR fines since January 2021, a massive 594% year-on-year increase, according to international law firm DLA Piper.
The firm’s annual figures are a useful indication of the level of regulatory activity among the region’s privacy regulators.
It claimed that there had been an 8% rise in breach notifications, to 130,000 for the region since January 28 last year.
The study applies to the 27 EU member states plus the UK, Norway, Iceland and Liechtenstein, which also follow the GDPR.
Interestingly it is tiny land-locked Luxembourg that imposed the most significant individual fine: a €746m penalty for Amazon for failing to process customers’ data in accordance with the law.
Ireland came in second place with a €225m fine levied against WhatsApp, and France rounded out the top three by fining Google €50m, although that was issued several years ago.
However, the size of GDPR fines is something of a distraction from the biggest challenge for data protection officers around Europe: complying with the provisions of the “Schrems II” judgment.
According to DLA Piper, organizations risk suspension orders, fines, claims for compensation and service disruption if they export data to third countries outside the remit of the GDPR without first carrying out detailed assessments. These are required to ascertain the risk of interception of EU citizens’ data by public authorities such as local police and intelligence services in those countries.
“The nearly sevenfold increase in fines may grab the headlines but the Schrems II judgment and its profound implications for data transfers has established itself as the top data protection compliance challenge for many organizations caught by GDPR,” argued Ross McKean, chair of the UK Data Protection and Security Group.
“The threat of suspension of data transfers is potentially much more damaging and costly than the threat of fines and compensation claims. The focus on transfers and the significant work required to achieve compliance inevitably means that organizations have less time, money and resource to focus on other privacy risks.”