It's been two and a half years since the EU started implementing the General Data Protection Regulation (GDPR), and despite a timid start, the new laws are now gathering pace – with only larger fines to come for non-compliant businesses.
A new report from law firm DLA Piper's data protection team, released to coincide with the Council of Europe's data protection day, finds that the past year has seen a total £142.7 million ($193.4 million) issued in GDPR-related fines, which is almost a 40% increase compared to the previous 20 months since the new laws came into force. The total reported fines since the GDPR started applying reach £245 million ($332 million).
The number of breach notifications is also growing, with an average of 331 data breaches reported per day over the past 12 months, compared to 278 notifications a day the previous year. In total, there have been more than 281,000 data breach notifications since May 2018.
SEE: Security Awareness and Training policy (TechRepublic Premium)
GDPR-related activity is accelerating fast, therefore, but there are still headwinds blowing against the European rules. "The GDPR is still young," Ross McKean, chair of DLA Piper's UK data protection and security group, tells ZDNet. "It is a document still full of ambiguities and inconsistencies that make enforcing it quite difficult, so regulators are treading carefully."
Although the rules are, in principle, a uniform set to be applied equally to all adhering countries, the reality is different. Equipped with disparate human, financial and technical resources, different nations have different approaches to implementing the laws.
The discrepancies show in the numbers. While Germany is responsible for 77,747 breach notifications since the GDPR launched, for instance, Italy only recorded 3,460 notifications in the same period – a statistic that can also be linked to cultural differences. "It's not just one GDPR law, it's a GDPR regulation that is interpreted differently across all of those countries," says McKean.
Looking at the headline-grabbing fines that have been issued as a result of the GDPR, it is evident that uncertainties still surround the application of the new rules. The UK, for example, holds the spot for the fourth and fifth largest fines imposed for breaching GDPR requirements – but in both cases, the original sum was significantly downgraded as a result of appeals.
British Airways was fined £20 million ($27 million) last year after personal details of hundreds of thousands of customers were stolen by hackers, a 90% reduction from the initial £183.4 million that was put forward, as a result of the impact of the COVID-19 pandemic. For the same reasons, hotel chain Marriott was fined £18.4 million ($25 million), or 20% of its original penalty, after it emerged that information belonging to 339 million guests had been stolen.
The biggest fine imposed to date under the GDPR was issued by French regulator CNIL in 2019, which issued a €50 million ($61 million) fine against Google for a breach of transparency rules.
DLA Piper's report notes that many open legal uncertainties in the interpretation of GDPR can partly explain why the fines imposed to date have been at the lower end of the scale. One thing is certain: those examples of successful appeals show that regulators "haven't had it all their own way," reads the report, despite the overall increase in fines and breach notifications.
According to McKean, however, it is only a matter of time before regulators build up sufficient confidence to enforce GDPR laws more forcefully. "If you look at the maximum amounts that those fines could reach in some companies, you're in the billions," says McKean. "It will be a while before we get there. It's still early days, but the fines are only headed one way, and we are probably a few years away from the big fines to start coming through."
And although the sums are, for now, only a percentage of what they could be, McKean argues, the deterrent effect of the GDPR should not be underestimated.
"We have the undivided attention of big tech and of any company subject to the GDPR," he says. "Pharmaceuticals, financial services too – it's all based on trust. If you're fined, it's a bad day in the office, with a big reputational headache to deal with. So, even though it doesn't make big headlines yet, GDPR is taken extremely seriously."
What's more: EU regulators have a number of punitive measures that they can use on top of fines to make sure that companies change their bad data processing habits. One which is a cause of genuine concern for many organizations, sometimes more so than fines, said McKean, is the ability to suspend data transfers altogether when they are considered unlawful.
SEE: Technology's next big challenge: To be fairer to everyone
Last year, for example, the European Court of Justice (ECJ) invalidated the data bridge that was created to allow the personal data of EU citizens to be sent and processed in the US, called the privacy shield. The ruling was announced after it was decided that government surveillance laws across the Atlantic prevented organizations from protecting personal data in a GDPR-compliant way.
In principle, the ECJ's decision makes it unlawful to exchange personal data with the US unless alternative data transfer mechanisms are in place. There are still few examples of enforcement of the ruling in practice; but the real-world ramifications of the judgement will start showing this year, according to McKean.
In the still-evolving legal landscape that surrounds GDPR, another reason for businesses to remain cautious is the possibility of new and stricter rules emerging in the future. One ongoing case in the UK, called Lloyd vs Google, is likely to be followed closely by many organizations. "All eyes are on Lloyd and Google to see if that class of action has legs," says McKean. "If it does, the fines are a sideshow, because they will pale in comparison to the cumulative damages claims."
For any organization processing data in GDPR-compliant countries, therefore, edging on the side of caution is by far the best practice. The GDPR is only getting started, and it's about to get much bigger.