EU data protection authorities continue to actively enforce the GDPR. Enforcement has increased sharply during the last six months, with many data protection authorities (DPAs) levying large fines against organisations of all sizes and across various sectors. We summarise the main developments below. See also our interactive graphics for further details.
EU enforcement – a summary of the last half year (March to October 2021):
The size and frequency of GDPR fines has risen in the last six months. Since March, the EU DPAs have issued around 150 fines to organisations across various sectors. (Our dataset is accurate as of 11 October 2021. The dataset is not exhaustive: it is a compilation of enforcement decisions that were officially published or publicly confirmed by the national DPAs.) They have issued a total of 208 fines so far in 2021, compared with 168 fines during the whole of 2020 (see our Global Data Risk Report here). In the last six months, the Spanish DPA (AEPD) has continued to be the most active regulator in Europe, issuing 64 fines. The Italian DPA (Garante) has also been active, issuing 21 fines, primarily spread across the healthcare, TMT and public sectors. The same period has seen a material uptick in enforcement from the DPAs of Luxembourg, Belgium and Ireland. Since March, there have been 10 GDPR fines of €1m or more, with the highest fine amounting to €746m. So far in 2021, EU DPAs have issued 13 fines of €1m or more, compared with 14 fines for the whole of 2020. The most heavily sanctioned sectors have remained the same: the healthcare, TMT, consumer and public sectors.
National trends:
Luxembourg – In the last six months, the DPA of Luxembourg (CNPD) issued a €746m fine against Amazon in relation to unlawful advertising practices. The CNPD’s official decision is not public, because of national professional secrecy laws and because Amazon may appeal the decision. This fine is the largest GDPR fine to date and the second highest data privacy fine in the world. Interestingly, the CNPD only started to levy GDPR fines from May 2021. Since then, it has issued 11 GDPR fines. Ten of those eleven fines were between €1,000 and €18,000. This is just one example of historically quieter DPAs becoming more active - and they’re prepared to issue high fines for severe infringements.
Ireland – In the last six months, the Irish DPA issued the second highest GDPR fine to date. The €225m fine was against WhatsApp, for transparency and data subject rights infringements. This proceeding is novel because, before the fine was imposed, the EDPB issued a binding decision on the matter. After concluding its investigation, the Irish DPA (DPC) circulated its draft decision to the other DPAs, proposing a fine of €30-50m and various corrective measures. Eight of the European regulators objected to the draft decision, arguing that the DPC had not adequately addressed several issues, was too lenient, and had limited the scope of the investigation. As the DPC and the other DPAs could not reach an agreement, the matter was referred to the EDPB under article 65 GDPR. In its binding decision, the EDPB upheld many of the other DPAs’ objections, including that (a) the DPC’s six-month compliance period was too lenient and (b) the proposed fine was inadequate because the DPC hadn’t considered the global annual turnover of the parent company. Although the fine itself has been widely debated, the EDPB and DPCs’ decisions provide useful guidance on GDPR enforcement. The case also shows that the approach to enforcement among EU DPAs continues to be fragmented.
Spain – The Spanish DPA (AEPD) continues to issue the most GDPR fines in Europe. So far in 2021, the AEPD has issued around 80 fines. Notably, it has also started issuing higher fines. This year, it has issued five fines of €1m or more, with the highest fine amounting to €8.15m. The AEPD continues to fine organisations repeatedly. For example, one organisation has been fined 10 times for various breaches in 2021 alone. The AEPD also continues to show a particular interest in enforcing against organisations in the TMT, financial, and public sectors.
GDPR hot topic – data and cyber breaches:
In the last six months, data and cyber breaches and data security incidents (article 32 GDPR) have been at the centre of GDPR enforcement. As the number of data and cyber breaches has continued to increase, so has enforcement activity. Since March, around one fifth of the GDPR fines levied have been for data and cyber breaches and data security incidents. This shows that article 32 GDPR breaches are a key area of enforcement for the EU DPAs. The fines range from €200 to €4.5m, with the Italian DPA having issued the highest fine, against Fastweb. Some EU DPAs, like those in Denmark and Cyprus, have shown a particular interest in article 32 GDPR breaches, with most of their fines being issued for that reason. Organisations should review whether they have appropriate technical and organisational measures (TOMs) in place to mitigate the risks of data and cyber breaches and data security incidents. We predict that enforcement of article 32 GDPR breaches will continue to increase as EU DPAs focus on ensuring that personal data is protected from unauthorised access and data leaks.