Skip to main content

Global data risk

The global state of play

Regulatory enforcement under GDPR soars

GDPR enforcement activity has risen sharply.

In 2018, the year the GDPR came into force, there were just 19 penalties issued by EU DPAs, with Germany and Austria the nexus of activity. Total fines amounted to less than €600,000.

Enforcement really took off in 2019, with the number of fines increasing by a factor of seven to 143. Authorities in 24 EU countries issued fines in 2019 and 2020, compared with just eight in 2018.

In 2020, the number of GDPR-related fines rose 17 per cent to 168, and by the end of February 2021 a further 35 penalties had been handed out. If that level of activity were maintained to the end of the year, it would set another new high.

The size of the penalties issued by EU DPAs also increased significantly, with total fines more than doubling between 2019 and 2020 (123 per cent). To the end of February 2021 companies were punished to the tune of almost €28m, which again will break the previous record if the rate continues to the end of the year.

Spain brings the most cases; Italy levies the most fines

Spain is by far the most active EU jurisdiction for regulatory enforcement, with the AEPD issuing 110 separate GDPR-related penalties between 2018 and February 2021.

Italy’s Garante, however, has handed out more fines (€70.9m) than any other EU authority, followed by France’s Commission Nationale de l'Informatique et des Libertés (CNIL), German DPAs (which are organised regionally), and the UK Information Commissioner’s Office (ICO). The latter levies the biggest individual penalties on average (€11m), including three major fines in 2020.

The sectors and infringements in the spotlight

The most heavily sanctioned industries are consumer, telecoms, healthcare and industrials.

The largest fines were reserved for companies whose GDPR violations affected the biggest number of data subjects; repeat offenders; and businesses deemed not to be co-operating with the relevant DPA. In Germany there has been a crackdown on employee surveillance, while data security breaches are another driver of significant fines.

Trend for fines to be reduced

While GDPR-related penalties are rising, the fines being issued are not at the top end of the scale. The regulation gives EU DPAs the scope to fine companies up to 4 per cent of their annual group turnover, yet the actual amounts are significantly lower. Of the 50 biggest GDPR fines to date, only two (Ticketmaster UK and Notesbooksbilliger.de) represented more than 1 per cent of the company’s global sales.

In addition, one of the most noticeable recent trends has been for fines to be reduced or even reversed by DPAs or the courts, with the UK ICO’s cases against British Airways and Marriott two of the highest-profile examples.

For more on fine reductions and reversals, click here.

Biggest fines globally originate in US

While the level of data protection enforcement in the EU has soared since the advent of the GDPR, the biggest data-related penalties globally originate in the US. Since 2018, nine of the 10 largest fines for data privacy breaches have all come from US authorities, with the Federal Trade Commission the only regulator to hand out a 10-figure punishment. The US has no federal privacy regulation, so fines are levied by a variety of authorities, including state attorneys general, the Office for Civil Rights, the FTC and the Department of Justice.

US companies – particularly in tech - are the most heavily sanctioned worldwide, with only one non-US company featuring among the 20 biggest penalties.