Home / News / New Europe-wide analysis provides insights into GDPR...

New Europe-wide analysis provides insights into GDPR fining and enforcement practice

GDPR fines exceeded EUR 1.5bn and 1,000 cases in 2021, according to a new Europe-wide analysis – and there is more to come

  • The total amount of published fines related to non-compliance with the GDPR reached EUR 1.581bn in 2021, according to a new analysis by global law firm CMS.
  • The 500% increase in 2021 was largely driven by several record fines imposed on well-known digital stakeholders, including a EUR 746m fine in Luxembourg.
  • Landmark cases are only the tip of the enforcement iceberg – a closer look at smaller cases provides relevant insights: sector exposure is highest in customer-facing industries like Industry & Commerce and Media, Telecoms and Broadcasting; a view on the legal basis for data processing as well as on data security is vital for risk management.

With the omnipresence of digitisation and personal data across all industries, a tough crackdown on data protection compliance is continuing to sweep across Europe. Data protection authorities (DPAs) have continued to use the 'GDPR enforcement toolkit', with fines being the most visible means to stick to EU legislators' promise for greater data protection and data security under the GDPR.

These new findings are being published today by global law firm CMS in the 3rd edition of its annual Enforcement Tracker Report, which analyses all publicly available information in relation to GDPR fines across Europe. The information used in the report is captured in CMS's GDPR Enforcement Tracker online database.

The report shows that a total of 505 known GDPR fines were imposed between March 2021 and March 2022, bringing the total to 1,031 fines in the period from 25 May 2018 to 1 March 2022. This increase from 526 cases, as outlined in the previous Enforcement Tracker Report 2021, represents a 96% growth in penalties in one year. With a total value of around EUR 1.581bn (+EUR 1.319 billion or +500%), DPAs across Europe have again been acting decisively to ensure GDPR compliance among large and small businesses, and sometimes also public authorities, in the region.

The illegal processing of personal data - or, in legal terms, "insufficient legal basis for data processing" - was the most common violation, accounting for eight out of ten of the highest fines across Europe. This shows that companies are still struggling with legal uncertainties in the interpretation and application of the GDPR. Non-compliance with data protection principles took the second spot, followed by insufficient measures to ensure information security.

On the European level, more than one third of all fines issued were from the Spanish DPA, followed by Italy, Romania and Hungary. GDPR enforcement is still significantly shaped by national laws and local practice – although the overall aim of the GDPR is to establish a fully harmonised regulatory framework for data protection. The EU-wide "Guidelines on calculation of fines" published by the European Data Protection Board (EDPB) just days ago may be a relevant step towards a more consistent practice. This will likely lead to higher fines, at least for larger organisations.

The report also revealed that public-facing industries received the most scrutiny, possibly due to end customers’ willingness to file complaints with a DPA. The Industry & Commerce and Media, Telecoms and Broadcasting sectors each received 220 and 172 fines respectively, accounting for nearly 40% of all fines issued. The highest and most common fines, also in these industries, were related to the legal basis for data processing and data security. Meanwhile, DPAs are also cracking down on illegal video surveillance across all countries and business sectors (including individuals), as well as direct marketing activity, for example spam mails.

Some high-profile penalties were issued. The heaviest fine for non-compliance with general data protection principles was issued by Luxembourg, the penalty was EUR 746m. The second highest penalty with EUR 225m was imposed by the Irish DPA for, inter alia, intransparent data processing.

Michael Kamps, Partner at CMS, commented: “For several reasons, 2021 was an interesting year to track GDPR enforcement. Beyond the mere facts and figures, in particular the record fines and the steep rise in the total fine amount, our analysis shows the relevance of case-specific details. In this respect, DPAs follow the requirements of the GDPR. From an organisational risk management perspective, considering existing GDPR enforcement cases as important precedents, highlighting the 'don’ts' in data processing, can be recommended.”

"From a core legal perspective, it may also be worth noting that the DPA opinion - as evidenced in a penalty notice or an initial notice of intention - is not necessarily the final say. Courts in various countries have continued to apply legal scrutiny and, in some cases, overturned DPA enforcement decisions."

“Overall, we can already see after four years into the GDPR that authorities across Europe have higher expectations for businesses and will crack down on those that fail to comply in every aspect. The new EDPB guidelines on the calculation of fines will surely contribute in this respect. So, continued investment in the health of data processing remains essential for businesses of all shapes and sizes.”

Read the full report here; an executive summary is available here.

dot web outerspace
Press releases
Press release | CMS Enforcement Tracker Report 2022 - 3rd edition