European data regulators issued a record €2.92bn ($3.16bn) in fines from January 28, 2022 to January 27, 2023, a 168% increase from 2022, new data shows. The report, GDPR and Data Breach survey, which is published by the international law firm DLA Piper, details breaches in all countries including the UK, Norway, Iceland, and Liechtenstein.
“The increase demonstrates supervisory authorities’ growing confidence and willingness to impose high fines for breaches of the GDPR, particularly against large technology vendors, and has also been influenced by the highly inflationary impact of the European Data Protection Board (EDPB),” the report states.
Despite the big increase in fines, the average amount of daily breach notifications was slightly lower than last year running at an average 300 during the last 12 months, compared to 328 in 2022.
A total of around 109,000 personal data breaches were notified to regulators, a small decrease to the previous total of 120,000 breaches.
“The increase demonstrates supervisory authorities’ growing confidence and willingness to impose high fines for breaches of the GDPR.”
This decrease could be because “organisation’s GDPR notification procedures have become more mature and also due to more sophisticated recording of data breach notification figures by data protection supervisory authorities”, the report states.
The reduction in breach notifications might also be due to organizations becoming more wary of reporting data breaches, where they know of the potential risk of investigations and enforcement actions, including fines and compensation claims that could follow a notification.
Children’s data
Meta Platforms Limited in Ireland faced the biggest fine of the year, €405m ($439m). This was imposed by the Irish Data Protection Commissioner (DCP) over failure to protect children’s personal data on Instagram. That action is also the first EU-wide decision on children’s data protection rights.
Later, the Irish DPC fined Meta again, this time €265m ($275m) for data protection “by design and default” failings, which led to the exposure of personal details of 533 million users. However, both fines are currently under appeal.
Companies based in Ireland dominated the list of the year’s largest fines, as well as suffering the biggest aggregated value of fines since 2018, totalling over €1.3bn ($1.4bn). Five of the 10 biggest GDPR fines, all issued by the DPC this year, were imposed on Irish-based Meta.
The biggest individual fine ever, €746m ($790m), was imposed on Amazon in July 2021 by the Luxembourg data protection supervisory authority. This fine is also under appeal.
Netherlands most breaches
While the biggest fines were issued on companies in Ireland, the Netherlands had the most data breach notifications in total. Since May 25, 2018, the top 10 countries with the most personal data breach notifications are:
- Netherlands – 117,434
- Germany – 76,967
- UK – 49,213
- Poland – 41,751
- Denmark – 34,516
- Ireland – 29,692
- Sweden – 23,411
- Finland – 20,880
- France – 15,748
- Norway – 9,414
Lichtenstein has the lowest number of data breach notifications, with just 147 in total.
Looking at the total value of all fines, Ireland takes the lead with over €1.3bn ($1.4bn), Luxembourg is second with €746m ($790m) and France third with €428m ($465m). Most European countries have total aggregated fines up to €10m ($10.8m).
The rest of the total fines are as follows:
- Netherlands – €13,754,500;
- Norway – €9,835,809;
- Portugal – €6,156,500;
- Bulgaria – €3,564,919;
- Poland – €3,396,348;
- Hungary – €2,235,000;
- Finland – €2,089,500;
- Latvia – €1,596,534;
- Cyprus – €1,282,100;
- Belgium – €1,271,900;
- Denmark – €1,270,000;
- Romania – €889,547;
- Croatia – €752,870;
- Czech Republic – €440,300;
- Malta – €439,000;
- Slovakia – €422,100;
- Lithuania – €244,500;
- Iceland – €220,000;
- Estonia – €34,924; and
- Liechtenstein – €4,209.
In US Dollars, the range between highest and lowest total fines is $1,410,526,890 and $4,555.
Enforcement trends
Continuing the trend seen last year, the report also showed that supervisory authorities prioritised enforcement actions in relation to breaches of the core data protection principles in Article 5 GDPR.
These actions were taken on companies failing to comply with the lawfulness, fairness and transparency principle (Article 5(1)(a)) and the integrity and confidentiality principle (Article 5(1)(f)).
Article 5 GDPR (1)
Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).