Global law firm DLA Piper publishes the 2023 edition of its annual GDPR and Data Breach survey revealing total fines issued for a wide range of GDPR infringements and the league table of fines issued by country since January 28th 2022. The survey covers all 27 Member States of the European Union, plus the UK, Norway, Iceland and Liechtenstein.
• European data protection supervisory authorities have issued EUR 1.64 billion since 28 January 2022, a 50% increase against the previous year
• Significant penalties levied against Meta IE by the Irish Data Protection Commissioner (DPC) place a spotlight on the “grand bargain” between consumers and online service providers: “free” services in exchange for consumers’ personal data which can then be used to create lucrative advertising profiles. The fines attack the cornerstone of this “grand bargain”
• This year’s highest fine of EUR 405 million (USD429 million / GBP352 million) was imposed by the Irish Data Protection Commissioner against Meta Platforms Ireland Limited relating to Instagram for various alleged failures to protect children’s personal data.
• The average number of notified data breaches per day fell slightly from 328 notifications per day to 300 notifications per day** suggesting that organisations might be becoming warier of notifying breaches for fear of investigations, fines and compensation claims. The Netherlands remains at the top of the table for the number of breach notifications made per 100,000 capita
• Luxembourg remains at the top of the country league table for the highest GDPR fine imposed since 25 May 2018: a fine of EUR 746 million (USD790 million / GBP649 million). But Ireland is catching up, taking the 2nd, 3rd, 4th, 5th and 6th places in the country fines league table after a very busy year for the DPC
• With so many technology firms based in Ireland or Luxembourg and the continued focus of European data regulators on this sector, DLA Piper foresees Ireland and Luxembourg likely remaining at the top of the league table for years to come
Global law firm DLA Piper has today published the findings of its annual GDPR and Data Breach Survey. The Europe-wide*** survey has revealed another record year with a 168% year on year increase in the total value of fines issued across Europe.
Among the largest fines levied were those against Meta Platforms Ireland Ltd. (Meta) demonstrating that social media, and its reliance on extensive processing of personal data, have been a particular focus of regulatory action. Several of the largest fines imposed against Meta this year by the Irish DPC relate to Facebook and Instagram’s behavioral profiling of users and whether the lawful basis of “contract necessity” can be used to legitimise the mass harvesting of personal data. While the Irish DPC originally concluded that this was possible, the influential European Data Protection Board disagreed. The resulting fines raise serious questions about the grand bargain struck between consumers and service providers, and how “free” online services will be funded going forward. Given what is at stake, DLA Piper expects these decisions to be appealed and years of subsequent litigation.
The survey also reveals a year which saw the volume of data breaches notified to supervisory authorities decrease slightly against the previous year’s total. The average daily total dropped from 328 notifications per day to 300 per day this year. This may in part be a sign that organisations are becoming more wary of notifying data breaches to regulators for fear of investigations, fines and compensation claims.
While personal data issues around advertising and social media have dominated headlines this year, there is a growing focus on Artificial Intelligence, and the role of personal data used to train AI. Most prominently this year multiple investigations into facial recognition company Clearview AI took place following complaints by digital rights organisations, including Max Schrems’s organisation My Privacy is None of your Business (NOYB) with several fines issued. As AI and machine learning platforms continue to become more ubiquitous, the survey predicts more regulatory investigations and enforcement for the year ahead with a focus on both providers and users of AI.
The survey also reports some notable decisions made by data protection supervisory authorities this year considering the application of the Schrems II and Chapter V GDPR requirements to specific international transfers of personal data. Data protection supervisory authorities have argued that it is not possible to adopt a risk-based approach when assessing transfers of personal data to “third countries”, in essence arguing that transfers are prohibited if the mere possibility of foreign governmental access gives rise to any risk of harm (however trivial and however unlikely).
Commenting on the survey, Ewa Kurowska-Tober, Global Co-Chair Data Protection and Cybersecurity at DLA Piper said: “A proportionate, risk based approach to the interpretation of GDPR’s restrictions on international transfers of personal data is not just permitted but, in our view, legally required. Adopting an “absolutist” approach to transfer restrictions and effectively outlawing any transfer of personal data, however trivial the risk of harm, risks real lasting harm to consumers. Transfers have many benefits for consumers and for society, by ensuring the rapid development and roll-out of vaccines, by enabling effective oversight and regulation of business and by providing access to online services enjoyed by billions of people. We hope that supervisory authorities reconsider the absolutist approach adopted in these early enforcement decisions.”
Ross McKean, Chair of the UK Data Protection and Cybersecurity Group added: “The spate of Irish Data Protection Commissioner fines targeting the behavioral advertising practices of social media platforms this year have the potential to be every bit as profound for the future of the “grand bargain” at the heart of today’s “free” internet, as Schrems II has been for international data transfers. Given what is at stake, we can expect years of appeals and litigation. The law is very far from settled on these issues.”
** Not all the countries covered by this report make breach notification statistics publicly available and many provided data for only part of the period covered by this report. We have, therefore, had to extrapolate the data to cover the full period. It is also possible that some of the breaches reported relate to the regime before GDPR. As a number of data protection supervisory authorities have now issued annual reports for 2021, some figures in last year’s report that were previously extrapolated have been updated in this report.
*** The DLA Piper survey covers all 27 Member States of the European Union, plus the UK, Norway, Iceland and Liechtenstein. Not all jurisdictions publish details of fines issued. It is possible that more fines have been issued and not published. The UK left the EU on 31 January 2020. The UK has implemented GDPR into law in each of the jurisdictions within the UK (England, Northern Ireland, Scotland and Wales). As at the date of this survey the UK GDPR is the same in all material respects as the EU GDPR. That said, the UK Government Department for Digital, Media, Culture and Sport recently consulted on proposed changes to UK data protection laws “Data: a new direction” and is proposing to legislate changes to UK data protection laws during the course of 2023. It remains to be seen the extent to which these changes will deviate from the EU GDPR.