- The Europe-wide analysis conducted by the CMS network shows that data protection authorities are stepping things up. Fines handed down since GDPR came into force back in 2018 now total €4.5 billion.
- The highest fine to date has been €1.2 billion – imposed by the Irish data protection authority in May 2023 for a breach of the rules on international data transfers. The Irish authority also imposed a number of further fines in the hundreds of millions that same year.
- The most frequent violations seen are ‘insufficient legal basis for data processing’ and ‘non-compliance with general data processing principles’. ‘Insufficient technical and organisational measures to ensure information security’ comes next.
- For the fifth year running, Spain tops the list of countries having imposed the most fines, followed by Italy and Romania. Ireland, Luxembourg and France are the country leaders in terms of highest total and average fines.
International law firm CMS today releases the fifth edition of its annual Enforcement Tracker Report. The report charts developments in respect of all publicly known GDPR fines imposed since 2018 (when the Regulation came into force). This latest edition of the report covers the period from 1 March 2023 to 1 March 2024. Over that twelve-month period alone, 510 fines were handed out, bringing the total number of fines imposed under the GDPR since it first entered into effect up to 2,225 (2,086 counting only fines with complete information on the amount, date and controller).
Total fines over the entire reporting period (2018-2024) now amount to €4.5 billion. This is up by some €1.7 billion over the past year, indicating that the authorities no longer shy away from imposing hefty fines. The average fine over the entire reporting period now stands at around €2.1 million. This figure has shot up recently, on the back of the particularly high fines levied against big tech in 2021/2022, as well as the first fine in the billions in 2023.
Christian Runte, partner with CMS in Germany, shares that:
At the top of the list of GDPR fine triggers we find, once again, insufficient legal basis and non-compliance with the general data processing principles, together with insufficient technical and organisational measures. Companies should pay particular attention to these matters.
His colleague at CMS Germany and co-author of the annual report, Alexander Schmid, adds that:
In addition to data protection authorities, the courts have increasingly been called upon to rule on how the GDPR should be interpreted. For example, the Court of Justice of the European Union has further clarified the scope of data subjects’ right of access. These rulings provide greater clarity, but also represent a tightening of data protection requirements for companies. This is why, alongside the concept of viable compliance, current developments will be decisive for business practices in the future.
Summary of key findings from CMS’s European Enforcement Tracker Report
Total number and amount of fines:
- Since the GDPR came into effect, a total of 2,225 fines have been recorded (of which 2,086 with complete information).
- The total amount of these fines is €4.5 billion.
- The highest fine to date has been €1.2 billion, handed down by the Irish data protection authority in May 2023 for violations relating to international data transfers.
Most frequent violations:
- Insufficient legal basis for data processing (612 fines).
- Non-compliance with general data processing principles (561 fines).
- Insufficient technical and organisational measures to ensure information security (357 fines).
Geographical and sector breakdown:
- The Spanish data protection authority has imposed the most fines, followed by its Italian and Romanian counterparts.
- Sector exposure is highest in media, telecoms, industry and commerce. B2C businesses are most likely to be fined, as a result of their more frequent interactions with data subjects.
Outlook:
- Data protection authorities took a cautious approach in the early days of GDPR but have steadily ramped up enforcement ever since. 2021 marked a step-change, with record fines being imposed on big tech.
- There has been a significant increase in fines in the finance, insurance and consulting sector, due to a lack of adequate internal compliance measures.
Impact of new technologies:
- New technologies, such as artificial intelligence, tend to come with particularly complex and high-risk data processing. Their increasing use therefore calls for rigorous risk management.
Case law and class actions:
- The body of case law on data protection authorities’ decisions is growing, contributing to greater legal certainty as to how GDPR provisions should be interpreted.
- The Representative Actions Directive has given consumer protection organisations the right to file class actions for breaches of data protection.
The full report is available here; for a summary, click here.
_840x420.jpg?v=3)
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.