Home / News / New Europe-wide analysis shows GDPR fines are here...

New Europe-wide analysis shows GDPR fines are here to stay, but with big differences between countries

  • The total amount of fines related to non-compliance with the GDPR reached EUR 261.7m in Europe, according to new analysis by global law firm CMS
  • GDPR enforcement activity strongly varies from country to country, with almost a third of all evaluated fines issued from Spain
  • Media, Telecoms & Broadcasting and Industry & Commerce totalled 40% of fines, emphasising the importance of risk management in customer-facing industries

With the omnipresence of digitisation and personal data across all industries, a tough crackdown on data protection compliance is sweeping across Europe. Data protection authorities (DPAs), in doing so, appear to be sticking to EU legislators' promise for greater data protection and data security under the GDPR.

The new findings are published today by global law firm CMS in the 2nd edition of its annual Enforcement Tracker Report, which analyses all publicly available information in relation to GDPR fines across Europe. The information used in the report is captured in CMS's GDPR Enforcement Tracker online database.

The report shows that a total of 287 known GDPR fines were imposed between March 2020 and March 2021, bringing the total to 526 fines in the period 25 May 2018 to 1 March 2021 (570, if all entries are counted). This increase from 239 notices, as outlined in Enforcement Tracker Report 2020, represents 120% growth in penalties in one year. With a total value of EUR 261.7m, DPAs across Europe have been acting decisively to ensure GDPR compliance among large and small businesses (and sometimes also public authorities) in the region.

Illegal processing of personal data (or, in legal terms, "insufficient legal basis for data processing") was the most common violation, accounting for 38% of all fines and for six out of 10 of the highest fines across Europe. This shows that companies are still struggling to manage the legal uncertainty in GDPR interpretation and application. Data security took the second spot, accounting for 21% of fines.

On a European level, almost a third of all fines issued were from the Spanish DPA, followed by Italy, Romania and Hungary. The UK had the highest average fine at EUR 11m, based on four penalties.

The report also revealed that public-facing industries received most scrutiny, possibly due to end customers’ willingness to file complaints with a DPA: The Industry & Commerce and Media, Telecoms and Broadcasting sectors each received 110 and 99 fines respectively, accounting for 40% of all fines issued. The highest and most common fines also in these industries were related to the legal basis for data processing and data security. Meanwhile, DPAs are also cracking down on illegal video surveillance, with 70% of fines issued to the hospitality industry relating to this type of violation, as well as direct marketing activity, for example spam emails.

Among the highest-profile penalties issued, Google received the heaviest fine for insufficient legal basis for data processing owing to a lack of consent for use of data for marketing activities. Issued by France, the penalty was EUR 50m. European retailer Hennes & Mauritz (H&M) took the second highest penalty with EUR 35.3m for illegal employee surveillance and monitoring activities.

Michael Kamps, Partner at CMS, commented: “Beyond the mere facts and figures, our analysis shows the relevant differences in DPA fining practice between jurisdictions. To provide more insights, especially for pan-European organisations, we collected details of enforcement frameworks from our local CMS data protection specialists. Even though fully harmonised, there is hardly another area that is shaped more by national laws and the respective watchdog's practice than GDPR fines and enforcement."

"From a core legal perspective, it may also be worth noting that the DPA opinion (as evidenced in a penalty notice or an initial notice of intention) is not necessarily the last word. DPAs as well as courts in various countries, including the UK and Germany, have significantly reduced fines. Apparently, it is not over 'til the fat lady sings."

“Overall, we can already see after three years into the GDPR that authorities across Europe have higher expectations for businesses and will crack down on those that are failing to comply in every aspect. So, continued investment in the health of data processing is essential for businesses of all shapes and sizes.”

Read the full report here, an executive summary is available here.

Press releases
CMS Enforcement Tracker - Press release
Download
PDF 117.9 kB