8 months of GDPR: 59,000+ reported breaches, 91 fines

A little over eight months have passed since the EU General Data Protection Regulation (GDPR) became enforceable, but it’s becoming clear that sweeping data breaches under the carpet has become a very high-risk strategy.

Complaints and data breach notifications

The European Commission (EC) has recently published an infographic presenting statistics and information related to the compliance and enforcement of the GDPR rules.

It says that data protection authorities across Europe have received over 95,000 complaints from individuals or organizations and over 41,000 data breach notifications by companies, and that most complaints are related to telemarketing, promotional emails, and video surveillance/CCTV.

But, according to global law firm DLA Piper, those numbers are conservative as they are based on the voluntary contributions of data protection regulators of just 21 out of the 28 EU Member States.

“Based on our own research covering 23 of the 28 EU Member States, together with figures for Norway, Iceland and Lichtenstein (the three additional European Economic Area Member States), we calculate that there have been 59,430 reported data breaches over the same period across Europe,” the firm’s cybersecurity team noted in a report – though they admit that these breach notification figures are “best approximations” due to a lack of publicly unavailable or incomplete data.

According to their estimates, the Netherlands, Germany and the UK topped the list of countries with most reported breaches (15,400, 12,600, and 10,600 respectively). The lowest numbers of reported breaches were made in Cyprus, Iceland and Liechtenstein (35, 25, and 15 respectively).

The Netherlands are also at the top of the list if the number of breach notifications is weighted against its population:

GDPR numbers January 2018

“Italy has so far had very few breach notifications relative to its large population which illustrates that notification practice and culture varies significantly among Member States,” the DLA Piper team commented.

GDPR fines

To date 91 fines have been reported, but not all relate to personal data breaches. For example, the massive €50 million fine handed by the French data protection authority to Google was due to the firm processing personal data for advertising purposes without valid authorization.

The German data protection authorities have already issued over 60 fines, big and small, for a variety of violations. Interestingly enough, “little” Malta reported 17 fines.

“The GDPR completely changes the compliance risk for organizations which suffer a personal data breach due to revenue based fines and the potential for US style group litigation claims for compensation. As we saw in the US when mandatory breach notification laws came into force, backed up by tough sanctions for not notifying, the GDPR is driving personal data breach out into the open,” noted Ross McKean, a partner at DLA Piper specializing in cyber and data protection.

What to expect in 2019?

The company expects more fines and heftier fines to be handed out in 2019 as regulators clear the backlog of data breach notifications.

“It is likely that regulators and courts will look to EU competition law and jurisprudence for inspiration when calculating GDPR fines and some regulators have already said they will do so. Competition lawyers are not known to shy away from imposing hefty fines and have imposed some eye-catching multi-billion Euro fines recently on large tech companies,” the team pointed out.

“That said, this is yet another area where there are important open legal questions under GDPR. Some legal commentators in Germany argue that applying EU competition law principles to calculate GDPR fines would violate the principles of legality and proportionality of criminal offences and penalties under the European Charter of Fundamental Rights and therefore local German procedural rules should be applied to calculate GDPR fines, resulting in much lower fines being applied. We anticipate that there will be early test cases on this point as the regulators trial the limits of their new powers.”

Don't miss