Home / News / Europe-wide analysis on the fifth anniversary of the...

Europe-wide analysis on the fifth anniversary of the GDPR reveals data protection fines totalling EUR 2.7 billion in over 1,500 cases

22/05/2023

  • European data protection authorities imposed fines totalling over 2.7 billion euros in more than 1,500 publicly known cases for violations of the General Data Protection Regulation, which has been in place for five years.
  • Last year again, the total amount of fines increased. The main drivers were several fines against big tech companies, each in the hundreds of millions. These cases are only the tip of the iceberg - data protection authorities are pursuing legal violations across all industries and company sizes.
  • The risk of fines is particularly high in the business-to-consumer sector, such as industry and commerce or media, telecoms and broadcasting. Having a sound legal basis for data processing and information security measures should be a priority for risk management.
  • In addition to fines, data protection authorities can restrict or prohibit data processing, as the Italian data protection authority Garante recently demonstrated in the case of a provider of generative AI.

In the last five years, European data protection authorities have made extensive use of the sanctioning options of the General Data Protection Regulation (GDPR). These findings are being published today by global law firm CMS in the 4th edition of its annual Enforcement Tracker Report. 

The report analyses all publicly available information on GDPR fines across Europe. The information used in the report is captured in CMS’s GDPR Enforcement Tracker online database: www.enforcementtracker.com.

Less than two months after the GDPR became applicable, on 25 May 2018, the first fine under the new (almost) fully harmonised data protection law was imposed in Portugal: 400,000 euros had to be paid by the operator of a hospital for having made patient data too widely accessible. Since then, both the number of publicly known cases and the amount of fines imposed have risen steadily. The cases with particularly high fines, such as the first cases involving sums in double or triple-digit millions, attracted particular attention: France, 50 million euros in January 2019 and Luxembourg, 746 million euros in July 2021.

In the current analysis period between March 2022 and March 2023, 545 new publicly known fines were imposed. This brings the total number of cases since the end of May 2018 to 1,576. The total value of all fines is around 2.77 billion euros (+1.19 billion euros) and has exceeded the two-billion-euro mark for the first time. The main driver for the increase in value were several cases with fines in triple-digit millions against big tech companies, all imposed by the Irish data protection authority this year.

The most common violation this year was again the insufficient legal basis for data processing, accounting for five out of ten of the highest fines across Europe. Other triggers for fines were non-compliance with the so-called "general data protection principles" and insufficient measures to ensure information security.

Companies from the business-to-consumer sector are more frequently in the focus of data protection authorities. In the Industry & Commerce and Media, Telecoms and Broadcasting sectors, 358 and 213 fines respectively were imposed; in total, more than half of all fines in the current analysis period. The highest and most frequently imposed fines in these sectors concerned the legal basis for data processing, non-compliance with data protection principles and insufficient information security measures. A relevant number of fines related to video surveillance (CCTV) in different industries and by private individuals, as well as unauthorised direct advertising.

Michael Kamps, Partner at CMS Germany commented: "On the fifth anniversary of the GDPR, the application of sanctions in data protection remains dynamic. For example, the recent decision by the Italian data protection authority related to a generative AI application has shown that regulatory measures beyond fines are to be taken seriously. If an authority mandates that the processing of personal data must be restricted or prohibited altogether, this has significant consequences. However, fines are currently still the more common sanction. The publicly known cases can provide indications for priorities and 'red lines' of the authorities."

“Legal uncertainties still exist despite five years of practical experience. In many cases, only the European Court of Justice will have the final say. It is therefore worth examining the legal opinion of the authority critically. This also applies to penalty notices. However, a viable compliance concept for data protection remains essential."

Read the full report here; an executive summary is available here.

Related people

Portrait ofFiona Savary
Dr. Fiona Savary, Rechtsanwältin (Schweiz)
Counsel
Munich
Portrait ofAlexander Schmid
Dr. Alexander Schmid
Senior Associate
Munich
Portrait ofChristian Runte
Christian Runte
Partner
Munich
Portrait ofMichael Kamps
Michael Kamps
Partner
Cologne
Show more Show less