The cost of GDPR fines surged 168% to over €2.9bn ($3.1bn) over the past year, although the average number of reported breaches per day fell slightly, according to new data from DLA Piper.
The global law firm’s annual report analyzed all published records of financial penalties levied by national data protection regulators across the EU’s 27 member states, the UK, Norway, Iceland and Liechtenstein. However, it cautioned that it is possible more fines have been issued and not published.
Meta had the dubious honor of receiving the biggest fine, after the Irish Data Protection Commissioner (DPC) last year levied a €405m ($429m) charge for failing to protect the personal information of children using Instagram.
More recently, the social networking giant was fined €390m ($413m) by the same regulator for breaches of the GDPR related to its choice of legal basis to process users’ data.
Those fines attack the “grand bargain” between consumers and advertisers which underpins much of the commercial internet, argued Ross McKean, chair of DLA Piper’s UK Data Protection and Cybersecurity Group.
“The spate of Irish Data Protection Commissioner fines targeting the behavioral advertising practices of social media platforms this year have the potential to be every bit as profound for the future of the ‘grand bargain’ at the heart of today’s ‘free’ internet, as Schrems II has been for international data transfers,” he claimed.
On the latter point, the report also cited arguments by national data protection supervisory authorities this year that it’s not possible to adopt a risk-based approach when assessing transfers of personal data to “third countries.”
That would effectively mean a ban on transfers to any country where the possibility of state access to data gives rise to any risk of harm.
However, DLA Piper’s Ewa Kurowska-Tober argued that such an “absolutist” approach risks harming consumers in the long term.
“A proportionate, risk-based approach to the interpretation of GDPR’s restrictions on international transfers of personal data is not just permitted but, in our view, legally required,” she added.
“Transfers have many benefits for consumers and for society, by ensuring the rapid development and roll-out of vaccines, by enabling effective oversight and regulation of business and by providing access to online services enjoyed by billions of people. We hope that supervisory authorities reconsider the absolutist approach adopted in these early enforcement decisions.”
The report also revealed a year-on-year drop in the average number of breach notifications across the region from 328 to 300.
However, rather than indicate that organizations are getting better at data protection, DLA Piper suggested the fall may be due to corporate legal teams becoming warier of notifying breaches for fear of investigations, fines and compensation claims.