Privacy Fines: GDPR Sanctions Last Year Surged to $3 BillionStudy Finds 'Highly Inflationary Impact' of European Data Protection Board Rulings
The cost of violating Europe's General Data Protection Regulation skyrocketed last year, and Big Tech companies took the brunt of the 2.9 billion euros in fines levied by regulatory agencies.
See Also: 6 Critical Capabilities for an Application GRC Solution
The amount, equal to about $3.1 billion, is more than double the value of fines issued during 2021, finds analysis from law firm DLA Piper.
Ireland, home of the European headquarters of companies including Google, Apple and Facebook, led the way on high-value fines, for example by imposing a 265 million euro fine on Facebook in November for a data scraping incident.
DLA Piper says its multibillion topline figure includes all known GDPR fines issued since Jan. 28, 2022, by the 27 EU member states, plus Iceland, Liechtenstein, Norway and the United Kingdom. The U.K. incorporated the GDPR as domestic law in 2018, ahead of its withdrawal from the European Union.
The actual fine total is likely even greater than DLA Piper's figure since not all European countries publicly release details of every fine and others have yet to release full details of all fines issued in the past 12 months.
The law firm's count of the total value of known fines is nonetheless a spike from the 1 billion euros imposed in 2021, which again was a massive increase from fines amounting to 159 million euros levied in 2020.
Under GDPR, which came into full effect on May 25, 2018, organizations that handle Europeans' personal data must comply with strict data protection and breach notification rules. Failure to comply with GDPR exposes organizations to fines of up to 4% of their annual global revenue or 20 million euros - whichever is greater. Regulators can also revoke an organization's right to process people's personal data.
The largest single fine last year was 405 million euros, imposed by the Irish Data Protection Commissioner last September against Facebook parent Meta for its multiple alleged failures to protect children's personal data. At the time, Instagram said it would appeal the decision and contested how the amount of the fine was calculated.
DLA Piper ties at least some of the rise in the total value of fines to the European Data Protection Board, the independent European Union body charged with ensuring consistency across nations in GDPR enforcement. No case decided by the EDPB last year resulted in a recommended fine amount ever being lowered, a trend DLA Piper says had a "highly inflationary impact" on individual fine amounts.
"Where fines were referred to and decided by the EDPB under the GDPR consistency mechanism during 2022, there was on average a 630% increase required by the EDPB compared to the fine originally proposed by the lead supervisory authority," DLA Piper reports.
Fines are increasing but the volume of breaches being reported to regulators has declined, law firm analysis also finds. On average, 300 data breach notifications are sent to countries' GDPR watchdogs daily, down from 328 notifications per day in the prior 12-month period.
One explanation for the reduction is that "organizations might be becoming warier of notifying breaches for fear of investigations, fines and compensation claims," it says.
2023 May Also Be a Bumper Year
Earlier this month, the EDPB instructed Ireland's Data Protection Commission to impose fines of 210 million euros against Meta's Facebook operation and 180 million euros against Instagram. Both fines were much higher than the DPC initially proposed.
The GDPR investigation hinged on Meta having "changed the legal basis for processing personal data from consent to the fulfillment of a contract between the user and Meta," and forcing Facebook and Instagram users to consent to new terms and conditions, introduced after GDPR took effect, if they wanted to continue to use its services, attorneys Jonathan Armstrong and André Bywater of London-based law firm Cordery write in a recent client note.
Meta says it will appeal the decision with both the DPC and EDPB. Ireland's privacy watchdog, meanwhile, could be headed for its own legal fight with the EDPB, which it has accused of overstepping its power and undermining the DPC's independence. "Effectively, the EDPB tried to direct the DPC to do a sort of audit of Meta and its data protection practices including its processing of special category data - also known as sensitive personal data," the Cordery attorneys say.
For Meta, the EDPB's decisions mean it is prohibited from using lucrative behavioral advertising techniques to target users without their express consent and from blocking access to their platforms if individuals do not opt in to behavioral advertising. By extension, many other technology giants would face the same prohibitions.
"Given what is at stake, we can expect years of appeals and litigation," says Ross McKean, chair of DLA Piper's U.K. Data Protection and Cybersecurity Group. "The law is very far from settled on these issues."