European data breach fines hit £97m
22 Jan 2020
European regulators have imposed €114m (£97m) in fines under the GDPR regime for data privacy infringements, with a further €329m in fines threatened by the UK regulator
22 Jan 2020
Over 160,000 data breach notifications have been reported across the EU, Norway, Iceland and Liechtenstein since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, according to DLA Piper's latest GDPR Data Breach Survey.
Ross McKean, a partner at DLA Piper, said: ‘The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement.’
The maximum fine under the GDPR is up to 4% of annual global turnover or €20m – whichever is greater – for organisations that infringe its requirements.
He added: ‘We expect to see momentum build with more multimillion euro fines being imposed over the coming year as regulators ramp up their enforcement activity.’
Following two high profile data breaches, the UK’s Information Commissioner Office (ICO) published two notices of intent to impose fines in July 2019 totalling £282m, although neither of these were finalised as at the date of this report.
One of the fines currently being contested was £183m levied against British Airways. The record-breaking fine represents 1.5% of British Airways' worldwide turnover for the financial year ended 31 December 2017.
At the time Willie Walsh, chief executive of parent company International Airlines Group, said: ‘British Airways will be making representations to the ICO in relation to the proposed fine.
‘We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals.’
The Marriott hotel chain was also hit by a proposed fine of £99m for a cyber-incident involving 339 million guests’ records.
Once the fine was proposed, Arne Sorenson, Marriott International’s president and CEO, said: ‘We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.’
McKean said: ‘GDPR has driven the issue of data breach well and truly into the open.
‘The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations.’
There was a 12.6% increase in daily breach notifications from 247 to 278 in the first eight months of GDPR.
France (€51m), Germany (€24.5m) and Austria (€18m) were issued the highest fines.
The Netherlands was top of the table for the number of notified data breaches with 40,647, followed by Germany at 37,636 and the UK with 22,181 notifications.
The UK ranked 13th out of the 27 countries that provided data on breach notifications on a reported fine per capita basis.
Italy, Romania and Greece reported the fewest number of breaches. Italy, a country with a population of over 62 million people, only recorded 1,886 data breach notifications.
The report showed that the highest GDPR fine to date was €50m imposed by the French data protection regulator, the National Commission for Computing and Freedom (NCCF), on Google, for alleged infringements of the transparency principle and lack of valid consent, rather than for data breach.