A new survey found that regulators have thus far imposed $126 million worth of fines for data breaches and other GDPR infringements.
According to DLA Piper’s GDPR Data Breach Survey, data protection regulators imposed €114 million (about US$126 million / £97 million) in GDPR-related fines between May 25, 2018 and January 27, 2020. The international law firm pointed out that France, Germany and Austria received the highest totals of those fines at €51 million, €24.5 million and €18 million, respectively.
DLA Piper did not take into account the announcement of a £183 million GDPR fine against British Airways or a £99 million GDPR fine against Marriott International, Inc., by the UK Information Commissioner Office (IC) for its study. That’s because the ICO had not finalized or imposed the fines at the time when DLA Piper was writing up its summary report.
The authors of the survey wrote that these findings indicate that “relatively few fines have been imposed under the new GDPR regime.” Even so, they cautioned that this won’t necessarily be the case going forward. As they pointed out in their report:
It would be unwise to assume that low and infrequent fines will be the norm going forward. Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime. It takes time to build a robust case to justify higher fines. We expect to see more multi million Euro fines in the coming year.
Even so, it remains to be seen whether these GDPR fines will produce any lasting change. Nearly half (42%) of respondents told Tripwire in a Twitter poll that they felt the fines announced for British Airways and Marriott were too little. Even more (52%) disclosed their belief that the fines won’t produce enough change at those companies.
Data protection supervisory authorities within the European Economic Area (EEA) received a total of more than 160,000 personal data breach notifications leading up the completion of the survey, DLA Piper noted.