Record levels of fines were issued in 2021 to resolve violations of the EU’s General Data Protection Regulation, according to a new report from DLA Piper. There was a 600% increase in the total fine amount, which rose from €159 million ($181 million) in 2020 to a staggering €1.1 billion ($1.2 billion) in the 12 months from January 28, 2021.
The huge increase in the total fine amount was due to two large financial penalties imposed on Amazon and WhatsApp, both of which broke the previous record fine of €50 million ($57 million) imposed on Google by the French Data Protection Authority in 2020.
The largest financial penalty of 2021 was imposed by the Luxembourg National Commission for Data Protection on Amazon Europe Core S.a.r.l. Amazon was determined to have violated the core data processing principles of the GDPR and was fined €746 million ($846 million). Amazon did not agree with the findings and has appealed the financial penalty, which may be reduced or even overturned. The outcome of that appeal is unlikely to be known for months, if not years.
Ireland’s Data Protection Commission announced a €225 million ($255 million) financial penalty for WhatsApp in 2021, to resolve alleged violations of the data processing transparency provisions of the GDPR. WhatsApp also disagreed with the ruling and has filed an appeal against the fine, which it feels is “entirely disproportionate.” The maximum penalty for GDPR violations is €20 million ($22.5 million), or 4% of global annual turnover, whichever is greater.
The data protection authorities in each member state take their own approach to issuing financial penalties for GDPR violations, which is why this year DLA Piper did not provide a list of the number of fines each country has issued. Some countries, such as Spain and Italy, have been imposing high numbers of small fines for GDPR violations, whereas others have pursued headline-grabbing penalties of millions of dollars. DLA Piper says it is not clear which approach is the most effective at deterring violations and encouraging compliance.
The enforcement trends identified in the previous year’s report have continued in 2021, with many data protection authorities making data processing transparency an enforcement priority, as well as compliance with the integrity and confidentiality principle and related requirements to notify individuals about breaches of their personal data. The report also shows an increase in investigations and financial penalties related to cyberattacks and data breaches, with Poland one of the most active countries in enforcing compliance with the information security requirements of the GDPR.
DLA Piper has predicted data transfers will be an enforcement priority and that there are likely to be a significant number of investigations and enforcement activities related to cookies and tracking technology, and organizations in the ad-tech ecosystem are likely to face increased scrutiny.
The DLA Piper GDPR report shows an 8% year-over-year increase in data breach notifications to data protection authorities in 2021, with notifications being submitted at an average of 356 per day, up from an average of 331 per day in 2020. In terms of total notifications, the five countries with the highest number were Germany (106,731), Netherlands (92,657), UK (40,026), Poland (29,003), and Denmark (26,634), although when adjusted per capita, Netherlands topped the list with 150 breach notifications per 100,000 people, followed by Lichtenstein with 132, Denmark and Ireland with 130, and Finland with 86.