Thursday, January 21, 2021

Companies Should Beware Any Relaxation of Data Protection Protocols as Levels of Fines Revealed

All Businesses Should be Aware of Regulations (and Potential Penalties)
Shipping News Feature

EUROPE – Before Covid-19 began to cut a swathe through the population and became the headline grabber of 2020, data protection had been very much an issue concerning most businesses. Now figures released show that it would be unwise for companies still trading in the European Union and beyond to relax their vigilance on adhering to the regulations and the ways they collate, handle and retain personal data.

International law firm DLA Piper has been looking at the level of fines levied within the EU in its latest annual General Data Protection Regulation (GDPR) fines and data breaches report covering the 27 European Union Member States plus the UK, Norway, Iceland and Liechtenstein.

The results show an eye watering total of £245.3 million worth of fines have been imposed for a wide range of infringements of Europe’s data protection laws. Italy’s regulator tops the rankings for aggregate fines having imposed penalties worth more than £62.4 million since the application of the GDPR on 25 May 2018. Germany and France rank second and third.

Pre-Brexit the UK managed to record the third highest level of transgressions with 30,536 breach notifications since the commencement of regulations, with only Germany (77,747), the Netherlands (66,527) performing worse. France and Italy, countries with populations of over 67 million and 62 million people respectively, only recorded 5,389 and 3,460 data breach notifications for the same period, thereby illustrating the cultural differences in approach to breach notification.

The highest GDPR fine to date remains the £45 million levy imposed by the French data protection regulator on Google for alleged infringements of the transparency principle and lack of valid consent. Ewa Kurowska-Tober, global co-chair of DLA Piper’s Data Protection and Security Group, observed:

“Regulators have been testing the limits of their powers this year, issuing fines for a wide variety of infringements of Europe’s tough data protection laws. They certainly haven’t had things all their own way, though, with some notable successful appeals and large reductions in proposed fines. Given the large sums involved, and the risk of follow-on claims for compensation, we expect to see the trend of more appeals and more robust defences of enforcement action continue.”

Following two high-profile data breaches, the Information Commissioner’s Office in the UK published two notices of intent to impose fines in July 2019 totalling £282 million. However in a significant climbdown by the regulator, the final fines imposed in October last year were greatly reduced to £20 million and £18.4 million. Commenting on the report, Ross McKean, chair of DLA Piper’s UK Data Protection and Security Group, explained:

“Fines and breach notifications continue their double-digit annual growth, with European regulators showing their willingness to use the enforcement powers available to them. They’ve also adopted some extremely strict interpretations of the GDPR, in turn setting the scene for heated legal battles in the years ahead.

“However, we’ve also seen regulators show a degree of leniency in response to the ongoing pandemic with several high-profile fines being reduced due to financial hardship. During the coming year, we anticipate the first enforcement actions relating to the GDPR’s restrictions on transfers of personal data to the US and other ‘third countries’ as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”

Not all Member States of the European Economic Area make details of breach notification statistics publicly available. Several have only provided incomplete statistics or statistics for part of the period covered by DLA Piper’s report. On that basis, the figures have been rounded up and, in some cases, extrapolated to provide best approximations. Similarly, not all GDPR fines are publicly reported and some data only covered part of the period covered by this latest report.