It will be five years since the General Data Protection Regulation (GDPR) came into force, but the statistics on data protection fines show no sign of abating. Companies and public authorities have been fined €2.78 billion for breaches of the GDPR, according to Andres Ojaver, the personal data protection expert at Hedman Law Firm.
The year 2023 is unlikely to show any downward trend regarding fines, as, for example, the total amount of fines in the first quarter reached almost €400 million.
Hedman’s personal data protection expert Andres Ojaver said that although awareness of data protection issues has increased over the years, mistakes are still made. “Companies wish to be a trustworthy partner and service provider for their customers, and more attention is being paid to the protection of personal data. However, the European data protection supervisory authorities have gained confidence and capacity, which is also reflected in the statistics on the sanctioning of offenders, including cases involving tech giants. There is also an increasing amount of case law on the interpretation of GDPR requirements, which is being used with increasing skill,” said Ojaver.
Fines are imposed most frequently in fields such as commerce, media and telecoms, financial services, healthcare as well as the public sector. “This is understandable, as these are inevitably the sectors where personalised data is used the most,” Ojaver added.
It will also be interesting to follow the statistics on the total number and total amount of GDPR fines imposed by countries. This reveals which countries are prosecuting the European branches of global tech companies the most. For example, the Irish data protection supervisory authority has so far imposed 23 fines, totalling €1.3 billion. Spain has imposed 594 fines totalling €58 million.
The top three of GDPR fines continue to be led by the €746 million fine imposed on Amazon in 2021 – the company has been accused of using and transferring sensitive personal data.
The second largest fine so far is the €405 million fine imposed on Facebook’s parent company Instagram Meta Platforms, Inc, in September last year. The fine was imposed by Ireland’s data protection supervisory authority for allowing children aged 13—17 to use business accounts that allow access to a minor’s email address and phone number. In addition, the accounts of minors were not set to private by default.
Lastly, the top three also include a €265 million fine imposed on Meta last November. The company was fined for inadequately implementing information security measures to protect user data. The Irish supervisory authority launched an investigation following the news that data belonging to more than 533 million users had been leaked online. The data was found on a hackers’ website and included names, Facebook IDs, phone numbers, locations, birth dates and email addresses of people from more than 100 countries.