- Data privacy watchdogs have handed out 114 million euros, about $126 million, since the enactment of General Data Protection Regulations (GDPR), according to research from law firm DLA Piper.
- Twenty-eight members of the European Union reported more than 160,000 breach notifications since May 25, 2018. The report includes Norway, Iceland and Liechtenstein, which are part of the European Economic Area, though not EU members. Compared to the time between May 25, 2018 through Jan. 27, 2019, daily breach notifications increased from 247 to 278.
- DLA Piper warns "it would be unwise to assume that low and infrequent fines" will be common. Regulators are increasing their staff to review cases. The law expects to see "multimillion euro fines" in 2020.
Not all breaches under GDPR are considered "reportable." Breaches that don't risk consumer rights or freedoms, or caused by inappropriate security use or of a breach, can go unreported.
Data breaches are only a small aspect of data privacy-related fines. For example, Austria received a 4,800 euro fine because of "unlawful" closed-circuit television system that led to "excessive" sidewalk surveillance, according to DLA Piper's 2019 report.
Last year Google made history with a "game changing" $57 million fine, which remains the largest fine under GDPR. French regulators said the company failed to convey what consumer data it collected, why it was processed and how long it was stored. Sufficient consumer consent was also missing from its practices, regulators claimed.
The lack of transparency in Google's personalized ads business led to its fine and set the tone for other companies with data infringements that were deemed "intentional."
Regulators have to answer several questions before calculating fines including:
What was the nature of the infringement, intentional or negligent?
How many consumers were impacted? What type of data was exposed?
How long did the violation occur?
What was the purpose of the data processing?
What actions were the actions taken post-mortem, including cooperation with regulators?
Were the preventative measures in place before the incident?
Does the company have a history of data privacy infringements?
Companies concerned with compliance are reserving funds for potential fines. Almost three-quarters of businesses have a budget dedicated to GDPR-related fines, according to research from Ponemon Institute.
Companies with incidents prior to May 25, 2018 aren't insulated from GDPR penalties. Retroactive fines are possible under the "processing" mandate. For example, the United Kingdom handed Equifax a $658,000 fine in September 2018 despite its breach occurring in 2017.