A new report by DLA Piper, a multinational law firm, revealed statistics for the number of breaches notified to regulators and the first fines issued under the GDPR rules for the period 25 May 2018 to 28 January 2019 (the International Data Protection Day). The total number of reported personal data breaches is 59,000 and the imposed fines – 91. This data reflects the situation in 26 European Economic Area (EEA) countries where breach notification data is available. However, 5 countries do not make breach notification statistics publicly available and some of those who did provided data only for part of the period. Therefore, it could be said that the reported results are somewhat skewed. The countries whose data is missing are Slovakia, Bulgaria, Croatia, Estonia and Lithuania.
According to the report the top three countries with highest number of reported breaches are The Netherlands (with approximately 15,400),Germany (12,600) and the UK (10,600). On the contrary, the countries with lowest numbers of reported breaches are Liechtenstein (15), Iceland (25) and Cyprus (35).
It is interesting to see how many of the reported breaches result in imposed fines. The report states that not all of the documented 91 fines relate to personal data breach. Such is the case with the highest fine so far – 50 million euro, imposed to Google by the National Data Protection Commission (CNIL) of France for processing of personal data for advertising purposes without valid consent.
Much less significant are some of the other fines mentioned in the report. For instance, one in Austria’s first GDPR penalty of 4,800 euro for inappropriately marked surveillance camera. Cyprus reported 4 fines (out of 35 breach notifications) with a total value of 11,500 euro. Malta’s numbers are interesting. The country has reported 17 fines which can be considered as high result for a population of less than half a million.
Sam Millar, a partner at DLA Piper specialising in cyber and large-scale investigations, commented the report:
“The regulators have already started to flex their muscles with 91 GDPR fines imposed to date, but the fine against Google is a landmark moment and notable partly because it’s not related to personal data breach. We anticipate that regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm posed to individuals. We can expect more fines to follow over the coming year as the regulators clear the backlog of notifications.”
The report raises a further interesting issue towards its end. It mentions the comments of some legal representatives in Germany arguing that applying EU competition law principles to calculate GDPR fines has the potential to violate the principles of legality and proportionality of criminal offences and penalties under the European Charter of Fundamental Rights. A reasonable solution to this issue is local procedural rules to be applied and not the standardised ones. This would result in decreasing the fines. But whether such manoeuvre is actually possible – we are about to know at some future moment.
What we can do now is to think more deeply about all the numbers mentioned in this article. They surely must be analysed with the context in which they are positioned in mind. Whether the high number of reported breaches means a high level of illegal predisposition, or it is a sign of vigilant society is a question of quality, not quantity, analysis. With time researchers will put efforts in such, but until then it is good to remind ourselves that the GDPR rules are here to protect our data privacy rights and we should use it for our personal and our clients’ wellbeing.