European data regulators issued EUR 1.64bn in GDPR fines last year - a 50% increase on the previous year – according to global law firm DLA Piper

fr en

Global law firm DLA Piper publishes the 2023 edition of its annual GDPR and Data Breach survey revealing total fines issued for a wide range of GDPR infringements and the league table of fines issued by country since January 28th 2022. The survey covers all 27 Member States of the European Union, plus the UK, Norway, Iceland and Liechtenstein.

<< Back
23/02/2023 |
  • DLA Piper

Global law firm DLA Piper has today published the findings of its annual GDPR and Data Breach Survey. The Europe-wide*** survey has revealed another record year with a 168% year on year increase in the total value of fines issued across Europe. 

Among the largest fines levied were those against Meta Platforms Ireland Ltd. (Meta) demonstrating that social media, and its reliance on extensive processing of personal data, have been a particular focus of regulatory action. Several of the largest fines imposed against Meta this year by the Irish DPC relate to Facebook and Instagram’s behavioral profiling of users and whether the lawful basis of “contract necessity” can be used to legitimise the mass harvesting of personal data.  While the Irish DPC originally concluded that this was possible, the influential European Data Protection Board disagreed. The resulting fines raise serious questions about the grand bargain struck between consumers and service providers, and how “free” online services will be funded going forward. Given what is at stake, DLA Piper expects these decisions to be appealed and years of subsequent litigation.

The survey also reveals a year which saw the volume of data breaches notified to supervisory authorities decrease slightly against the previous year’s total. The average daily total dropped from 328 notifications per day to 300 per day this year. This may in part be a sign that organisations are becoming more wary of notifying data breaches to regulators for fear of investigations, fines and compensation claims.

While personal data issues around advertising and social media have dominated headlines this year, there is a growing focus on Artificial Intelligence, and the role of personal data used to train AI. Most prominently this year multiple investigations into facial recognition company Clearview AI took place following complaints by digital rights organisations, including Max Schrems’s organisation My Privacy is None of your Business (NOYB) with several fines issued. As AI and machine learning platforms continue to become more ubiquitous, the survey predicts more regulatory investigations and enforcement for the year ahead with a focus on both providers and users of AI. 

The survey also reports some notable decisions made by data protection supervisory authorities this year considering the application of the Schrems II and Chapter V GDPR requirements to specific international transfers of personal data. Data protection supervisory authorities have argued that it is not possible to adopt a risk-based approach when assessing transfers of personal data to “third countries”, in essence arguing that transfers are prohibited if the mere possibility of foreign governmental access gives rise to any risk of harm (however trivial and however unlikely).

Commenting on the survey, Ewa Kurowska-Tober, Global Co-Chair Data Protection and Cybersecurity at DLA Piper said: “A proportionate, risk based approach to the interpretation of GDPR’s restrictions on international transfers of personal data is not just permitted but, in our view, legally required. Adopting an “absolutist” approach to transfer restrictions and effectively outlawing any transfer of personal data, however trivial the risk of harm, risks real lasting harm to consumers. Transfers have many benefits for consumers and for society, by ensuring the rapid development and roll-out of vaccines, by enabling effective oversight and regulation of business and by providing access to online services enjoyed by billions of people. We hope that supervisory authorities reconsider the absolutist approach adopted in these early enforcement decisions.” 

Ross McKean, Chair of the UK Data Protection and Cybersecurity Group added: “The spate of Irish Data Protection Commissioner fines targeting the behavioral advertising practices of social media platforms this year have the potential to be every bit as profound for the future of the “grand bargain” at the heart of today’s “free” internet, as Schrems II has been for international data transfers. Given what is at stake, we can expect years of appeals and litigation. The law is very far from settled on these issues.”

** Not all the countries covered by this report make breach notification statistics publicly available and many provided data for only part of the period covered by this report. We have, therefore, had to extrapolate the data to cover the full period. It is also possible that some of the breaches reported relate to the regime before GDPR. As a number of data protection supervisory authorities have now issued annual reports for 2021, some figures in last year’s report that were previously extrapolated have been updated in this report.

*** The DLA Piper survey covers all 27 Member States of the European Union, plus the UK, Norway, Iceland and Liechtenstein. Not all jurisdictions publish details of fines issued. It is possible that more fines have been issued and not published. The UK left the EU on 31 January 2020. The UK has implemented GDPR into law in each of the jurisdictions within the UK (England, Northern Ireland, Scotland and Wales). As at the date of this survey the UK GDPR is the same in all material respects as the EU GDPR. That said, the UK Government Department for Digital, Media, Culture and Sport recently consulted on proposed changes to UK data protection laws “Data: a new direction” and is proposing to legislate changes to UK data protection laws during the course of 2023. It remains to be seen the extent to which these changes will deviate from the EU GDPR.

Back to top  | << Back

Communiqués liés

RSA Erik Lindeman

RSA launches technology and management liability insurance s...

RSA Luxembourg, part of Intact Insurance Specialty Solutions, today announces th...

RSA
Terminal Bettembourg-Dudelange Copyright CFL multimodal
10/09/2024

Lancement d'une nouvelle connexion intermodale entre Bettemb...

CFL multimodal a le plaisir d'annoncer le lancement de sa  nouvelle connexion i...

CFL multimodal
 DSC5136 ABI Graduate
09/09/2024

Experts from LUNEX award first micro-credentials in Rwanda o...

The Rwanda Ministry of Education (MINEDUC) formally inaugurated Syllabi, a publi...

Lunex
ERG's logo (002)
09/09/2024

ERG Notes that ENRC Secures Landmark Victory as Court of App...

Eurasian Resources Group (ERG), a leading diversified natural resources group he...

Eurasian Resources Group
Pierre Thomas X Jean-Paul Scheuren
03/09/2024 Partenariat

LetzToken et La Vie est Belle annoncent leur partenariat ouv...

«?LetzToken?», plateforme de tokenisation pionnière basée à Luxembourg, et ...

LetzToken
Metalkol
02/09/2024

ERG announces a Pre-Export Finance Facility Agreement based ...

Eurasian Resources Group (“ERG”, “The Group”), a leading diversified nat...

Eurasian Resources Group

Il n'y a aucun résultat pour votre recherche

We use cookies to ensure the best experience on our website. By accepting you agree the use of cookies. OK Learn more