Last year supervisory authorities across Europe issued a total of €1.64bn in fines for non-compliance with the EU’s general data protection regulation (GDPR). That represents a rise of 50% on the total of €1.09bn issued in the previous year, and puts the aggregate total since GDPR came into force in May 2018 at €2.92bn.
Analysis by global law firm DLA Piper suggests the upsurge demonstrates supervisory authorities’ growing confidence and willingness to impose high fines for GDPR breaches, particularly on large technology suppliers.
Ireland and Luxembourg, which both host a number of US tech companies’ operations, head the all-time list of countries imposing the heaviest financial penalties.
Luxembourg takes top position in 2022 with a fine of €746m against a US online retailer and e-commerce platform issued in 2021. The fine is still subject to an ongoing appeal.
Ireland’s Data Protection Commission imposed its largest fine to date in 2022 – €405m, on Meta Ireland in relation to Instagram. It also fined Meta Ireland €265m in relation to Facebook in the same year.
The survey looks at data fines issued between 28 January 2022 and 10 January 2023, and covers all 27 EU member states as well as the UK, Norway, Iceland and Liechtenstein.
It found that the average number of notified data breaches per day in the period fell to 300, compared with 328 in the previous year.