€114 million in fines imposed by European authorities under GDPR

DLA Piper's latest GDPR Data Breach Survey found that over 160,000 data breach notifications have been reported across the 28 European Union Member States plus Norway, Iceland and Liechtenstein since the GDPR came into force on 25th May 2018.

France (€51m), Germany €24.5m) and Austria (€18m) topped the rankings for the total value of GDPR fines imposed, whilst the Netherlands (40,647), Germany (37,636) and the UK (22,181) topped the table for the highest number of data breaches notified to regulators.  

The highest GDPR fine to date was €50 million imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent, rather than for data breach. Following two high profile data breaches, the UK ICO published two notices of intent to impose fines in July 2019 totalling £282 million although neither of these were finalised as at the date of this report.

Ross McKean, a partner at DLA Piper specialising in cyber and data protection, said: "GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations.

"The total amount of fines of €114 million imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity."