Companies in Europe have been hit with fines worth €272.5m (£242.3m, $329m) for a wide range of infringements of the General Data Protection Regulation (GDPR), Europe’s tough data protection laws that came into effect in 2018, law firm DLA Piper revealed.
The figure is taken from its latest annual fines and data breach report of the 27 EU member states plus the UK, Norway, Iceland and Liechtenstein.
Italy’s regulator tops the rankings for aggregate fines, having imposed more than €69.3m since GDPR was imposed on 25 May 2018. Germany and France came second and third with aggregate fines of €69.1m and €54.4m respectively.
In total there have been more than 281,000 data breach notifications since the application of GDPR with Germany (77,747), The Netherlands (66,527) and the UK (30,536) topping the table for the most recorded.
France and Italy logged 5,389 and 3,460 data breach notifications for the same period, “illustrating the cultural differences in approach to breach notification,” the report said.
The aggregate daily rate of breach notifications in Europe experienced double-digit growth for the second year running, with 331 notifications per day since 28 January 2020, a 19% increase year-on-year.
The highest GDPR fine to date remains the €50m one imposed by the French data protection regulator on Google (GOOG), for “alleged infringements of the transparency principle and lack of valid consent,” the report noted.
Following two high profile data breaches, the UK Information Commissioner’s Office published two notices of intent to impose fines in July 2019 totalling £282m.
However in a “significant climbdown by the UK regulator,” the final fines imposed in October 2020 were greatly reduced to £20m and £18.4m.
“We have seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high profile fines being reduced due to financial hardship,” noted Ross McKean, chair of DLA Piper’s UK Data Protection & Security Group.
“During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other ‘third countries’ as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”
The Schrems McKean case mentioned relates to a decision by the Court of Justice of the European Union made in 2019 which stated that the EU-US Privacy Shield framework is an insufficient mechanism to ensure compliance with EU data protection requirements, according to US blog Lawfare.
EU authorities are expected take a closer look at companies exporting personal data outside the region.
Last month, Twitter (TWTR) was fined €450,000 by Ireland’s data watchdog, making it the first major US tech company to face sanctions under the GDPR.
WATCH: Why can't governments just print more money?