Fines have been imposed on companies for various breaches of EU privacy rules, and represent an increase of 585 percent compared to the same period last year, when the figure stood at 158.5 million euros. In Norway, fines under 8 million euros are issued during the same period. The figures are taken from a new report prepared by law firm DLA Piper. The report covers the 27 EU member states, as well as the UK, Norway, Iceland and Liechtenstein
Record breaking fines
Luxembourg and Ireland awarded two record GDPR fines in 2021, affecting US e-commerce platforms (€746 million) and WhatsApp Ireland Limited (€225 million), respectively. Both cases are the subject of ongoing appeals.
Luxembourg and Ireland thus rise from the bottom to the top of the list of countries that have distributed the largest individual fines.
– The privacy year 2021 saw a marked increase in the number of fines and sizes. In Europe, hefty fines go to online giants like Google, while here at home, the Data Inspectorate is distributing Norway’s largest fee to date to dating app Grindr of NOK 65 million. However, most of the focus is probably the Data Inspectorate’s decision to quit and use Facebook, said Petter Bjerke, who heads the DLA Piper Norway professional group for data privacy and security.
Increased number of reporting violations
The number of reported personal data security breaches is also steadily increasing.
– We see continued growth in the number of reported violations. Whereas in 2020 an average of 331 notifications per day, 356 notifications per day are the final results of 2021, an increase of 8 percent, said Peter Bjerke.
With regard to population, the Netherlands, Liechtenstein and Denmark most frequently report irregularities to the supervisory authorities. With 44.12 irregularities reported per resident, Norway is number ten on the list. Compared to the same period last year, where the figure was 37.9, this represents a 16 percent increase in reported deviations per inhabitant.
In total, more than 130,000 violations were reported.
The Schrems II decision presents a challenge
Despite the significant increase in fines, the so-called Schrems II decision of the European Court of Justice in 2020 is the biggest challenge to complying with privacy rules for many companies covered by the GDPR. The ruling places strict restrictions on the transfer of personal data from Europe and the UK to “third countries”.
The decision means that companies exporting personal data from Europe and the UK to third countries must carry out a comprehensive survey of these transfers and a detailed assessment of the legal and practical risks of surveillance by public authorities in the country where the recipient is located.
Here in Norway, among other things, the toll company Ferde has been fined NOK 5 million for the illegal transfer of personal data about Norwegian motorists to China.
According to the findings of the investigation, the Schrems II ruling not only poses a risk of fines and demands for damages, but also threatens to stop the transfer of personal data.
– Threats to stop the transfer of personal data are potentially far more dangerous and expensive than threats of fines and claims for damages. The focus on transfers and the significant work required to achieve compliance inevitably means that organizations have less time, money and resources to focus on other privacy risks, said Peter Bjerke.
- Luxembourg, Ireland and France topped the table with the largest individual fines issued (EUR746 million, EUR225 million and EUR50 million, respectively).
- More than 130,000 security breaches were reported in 2021, which is an 8% increase over 2020.
- The Netherlands is the country that reports the most deviations per capita.
- The increase in fines is significant, but the European Court of Justice’s Schrems II ruling, which limits the international transfer of personal data, is the biggest challenge for many companies covered by the GDPR.
“Certified introvert. Devoted internet fanatic. Subtly charming troublemaker. Thinker.”