Out-Law Analysis 2 min. read
12 Oct 2020, 7:00 am
Analysis undertaken by the cyber team at international professional services firm Pinsent Masons has found that the total value of fines that data protection authorities (DPAs) across the EU issued, or outlined their intention to issue, between March 2019 and May 2020 exceeded €414 million. Cases concerning personal data breaches made up 77% of that total amount.
The enforcement of data protection legislation is a major corporate risk to organisations that practice poor cybersecurity. In Europe particularly, where fines of up to €20 million or 4% of annual global turnover can be imposed under the General Data Protection Regulation (GDPR), the financial and reputational impact of enforcement can be severe.
David McIlwaine
Partner
From our data, it is apparent that security provisions of the GDPR are among those regularly cited by European data protection authorities as the legal basis for regulatory action and enforcement
Our analysis found that, between March 2019 and May 2020, a total of 190 GDPR fines were issued by European DPAs. Almost one third of the cases – 62 – were issued by Spain's Agencia Española de Protección de Datos (AEPD), though the total value of those penalties only just exceeded €2 million.
The largest fines levied or proposed came from DPAs in the UK, France, Italy, Austria and Germany, with the cases of personal data breaches reported by British Airways and Marriott noteworthy in particular. In those cases, the UK's Information Commissioner's Office (ICO) issued notices of intent to impose fines of more than £183 million and £99.2m respectively.
The outcome of the ICO's enforcement action in the two cases has still to be finalised, with procedural issues and then the fallout from the coronavirus crisis causing delay and leading to speculation that lower levels of penalties may be imposed than originally envisaged.
In total, 57% of the 190 data protection fines issued or proposed by European DPAs between March 2019 and May 2020 concerned personal data breaches, with the total value of fines in those cases almost €320m.
From our data, it is apparent that security provisions of the GDPR are among those regularly cited by European DPAs as the legal basis for regulatory action and enforcement.
Specifically, the Article 32 provisions on security of processing have been invoked by regulators on over 31 occasions since March 2019. The total of fines issued corresponding to Article 32 exceeds any other article of the GDPR. The average value of a fine under Article 32 amounts to €24.3 million. This is higher than the average value of fines invoked under Article 5(1)(f) – €654,630. Article 5(1)(f) sets out one of the core principles relating to processing of personal data under the GDPR, with it requiring personal data to be processed in a manner that ensures appropriate security of the personal data.
Our findings highlight the regularity with which European DPAs will scrutinise data security matters and their willingness to enforce against non-compliance, including through issuing substantial penalties.
Further analysis highlights that failings by organisations to meet their obligations on notifying personal data breaches led to fines totalling nearly €8m being issued by European DPAs between March 2019 and May 2020. This is a warning to companies that compliance with the notification requirements for personal data breaches will be taken seriously and that DPAs are willing to impose fines as both an incentive and deterrent to organisations to ensure that compliance is normalised.