Numbers and Figures

5 years of GDPR - what has happened so far, expressed in numbers

A look back at the last few years suggests that initially the authorities mainly monitored developments in the market or dealt with legacy cases that were not yet covered by the GDPR. With the exception of a fine of EUR 400,000 against a hospital in 2018, this initial period of reflection was rather moderate, both in terms of fines and number of fines. After this initial "orientation phase", DPAs have intensified their enforcement efforts in 2019, 2020 and 2021. While 2021 already ended with high fines, in 2022 these fines were once again trumped by the massive fines against "Big Tech", which catapulted the total amount of fines far above the EUR 2 billion figure.

Now, on the 5th anniversary of the GDPR, with a cut-off date of 1 March 2023, a total number of 1,576 fines (+545 in comparison to the GDPR Enforcement Tracker Report 2022) have been recorded in the CMS Enforcement Tracker database (1,672 if fines with limited information on amount or date are also counted) amounting to a sum of fines of around EUR 2.77 billion (+1.19 billion in comparison to the GDPR Enforcement Tracker Report 2022). In the reporting period 2018-2023, the average fine was around EUR 1,755,366 across all countries.

Total sum of fines

Total number of fines

Overall Top 10 Fines

Controller/ProcessorCountryFine [€]TypeDate
Amazon Europe Core S.à.r.l.Luxembourg746,000,000Non-compliance with general data processing principles16.07.2021
Meta Platforms, IncIreland405,000,000Non-compliance with general data processing principles05.09.2022
Meta Platforms Ireland LimitedIreland390,000,000Non-compliance with general data processing principles04.01.2023
Meta Platforms Ireland LimitedIreland265,000,000Insufficient technical and organisational measures to ensure information security25.11.2022
WhatsApp Ireland Ltd.Ireland225,000,000Insufficient fulfillment of information obligations02.09.2021
Google LLCFrance90,000,000Insufficient legal basis for data processing31.12.2021
Facebook Ireland Ltd.France60,000,000Insufficient legal basis for data processing31.12.2021
Google Ireland Ltd.France60,000,000Insufficient legal basis for data processing31.12.2021
Google LLCFrance50,000,000Insufficient legal basis for data processing21.01.2019
H&M Hennes & Mauritz Online Shop A.B. & Co. KGGermany35,258,708Insufficient legal basis for data processing01.10.2020

A look at the type of violation in the "Top 10 Fines" shows that data processing with insufficient legal basis is most likely to result in significant fines (5 of 10 fines). As in the previous year, non-compliance with general data processing principles lead the "Top 10 Fines".

The overview illustrates that the highest final fine still originates from Luxembourg. The fine imposed on Amazon Europe Core S.à.r.l. in the amount of EUR 746 million already led the "Top 10 Fines" last year. However, during the last year, a number of additional massive fines have been imposed, to the extent that half of the "Top 10 Fines" now fall within the range of hundreds of millions of euros.

Business Sectors – Summary

Fines by sector


The data shows that, to date, the highest average fines were levied in the sectors "Media, Telecoms and Broadcasting", "Industry and Commerce", and "Transportation and Energy". Also, the sectors with the highest number of fines to date are the "Media, Telecoms and Broadcasting" and "Industry and Commerce" sectors. While this may be read as an indication that such sectors are particularly inclined to disregard the GDPR requirements, this is not necessarily the case. This may also be due to a comparatively large number of relevant companies in these sectors, the increased exposure of these companies to the public, or simply due to some extraordinary fines in these sectors (e.g. the extraordinary fine in the amount of EUR 746 million in the Industry and Commerce sector) or increased attention or focus by the authorities (e.g. in Spain regarding the Media, Telecoms and Broadcasting sector, where the Spanish authority has already issued over 60 fines against a particular Spanish telecommunications provider).

There were comparatively few fines in the fields of "Accommodation and Hospitality" and "Real Estate". While this is also true for the "Transportation and Energy" sector, the fines in this sector had a high average amount. This may indicate that finable violations in these fields are rare, but if they did occur, they were serious and therefore carried high fines.

Countries – Top 10

Number of fines per country

Please note that fines for which we have incomplete data (fine amount or date) have been disregarded.


Thus far, the Spanish data protection authority has shown the most activity in terms of issuing fines/publishing issued fines, with a total of 583 fines (+204 in comparison to the GDPR Enforcement Tracker Report 2022). Other countries with comparatively high fine activity are Italy, Romania and Germany, which have imposed between 60 and 246 (published) fines. Nevertheless, those three countries together have published fewer fines than Spain alone.

The reasons for this are not evident from the data. The difference could, for example, be due to differences in the publication method of fines: while some countries also publish smaller fines of a few hundred euros, other countries seem to limit publication to larger fines. Another reason for the differences between the countries could be the number of staff involved in evaluating cases and handing down fines. This may either be because countries with more fines allocated more staff to their authorities in total or the staff within the authority are more focused on pursuing violations than is the case in other countries. Another potential explanation could be that the focus of the authorities varies: while some may put more emphasis on consultation before issuing fines, others may issue fines directly.

A look at the following average fines shows that the average fine in Spain is much lower than in most other countries:

Average fine by country

Sum of fines by country

Type of violation

Fines by type of violation

Please note that fines for which we have incomplete data (fine amount or date) have been disregarded.


We have also analysed the DPAs' justifications for the fines. Each fine in the GDPR Enforcement Tracker Report and on the GDPR Enforcement Tracker Website is attributed to one of the following nine categories:

  • Insufficient legal basis for data processing
  • Insufficient technical and organisational measures to ensure information security
  • Non-compliance with general data processing principles
  • Insufficient fulfilment of data subjects' rights
  • Insufficient fulfilment of information obligations
  • Insufficient cooperation with supervisory authority
  • Insufficient fulfilment of data breach notification obligations
  • Lack of appointment of data protection officer
  • Insufficient data processing agreement

Within these categories, the most fines (and at the same time the second highest fines in total) were issued for processing activities which had an insufficient legal basis. The second most frequent reason for fines was data processing activities that were subject to non-compliance with general data processing principles, followed by fines for insufficient technical and organisational measures to ensure information security, insufficient fulfilment of information obligations and insufficient fulfilment of data subject rights. While non-compliance with general data processing principles was not only the second most common reason for fines, the extraordinarily high fines imposed against Amazon and Meta resulted in the average amount of fines in this type being significantly higher than for any other type of violation.

So far, only very few fines have been imposed for lack of cooperation with the supervisory authority, for cases of violations of obligations in the context of data breaches, insufficient involvement of a data protection officer or missing data processing agreements.

Outlook

DPAs across Europe appear to be mindful of their role not only as supervising and penalising institutions, but also as advisors. It appears that in 2018, authorities allowed an initial phase to get acquainted with the new data protection regime under the GDPR for both data controllers and themselves. During that phase, relatively few fines were handed down. This phase is over and the number of fines has been increasing since 2019. In 2022, in particular "Big Tech" has been in the focus of regulators and unprecedented fines have been imposed. While this was also already the case in 2021, 2022 again brought some exceptionally large fines in the hundreds of millions of euros against social media platform operators, resulting in the largest 5 fines to date now all being in the range of EUR 225 million to EUR 746 million.

Data protection will continue to be under close supervision of the authorities and data controllers are best advised to continuously monitor and improve their processes and security measures.

Authors

Alexander Schmid
Dr. Alexander Schmid
Senior Associate
Rechtsanwalt
Munich
Luiza Esser
Luiza Esser
Research Associate
Munich