Ireland ranked second highest in EU for GDPR fines in 2021

18 Jan 2022

Image: © RomanR/Stock.adobe.com

A DLA Piper report found that the total value of GDPR fines handed out last year was nearly seven times higher than in 2020.

More than €1.1bn worth of GDPR fines were issued from 28 January 2021, with Ireland ranked second highest for fines imposed, according to law firm DLA Piper.

The firm’s latest GDPR survey noted that Ireland imposed the second largest fine last year, slapping WhatsApp Ireland with a €225m penalty in September 2021. Luxembourg was first with its €746m fine for Amazon in August.

Future Human

With the WhatsApp fine, which is subject to ongoing appeals, Ireland now also ranks second in the EU for total fines under GDPR to date.

DLA Piper said the total value of fines from 28 January last year was almost seven times higher than the €158.5m in penalties imposed by data protection authorities in 2020.

There was also an increase in the number of data breach notifications, with more than 130,000 personal data breaches notified to regulators throughout the year. This was an average of 356 breach notifications per day, an 8pc increase on 2020’s daily average.

A total of 6,802 data breaches were reported to Ireland’s Data Protection Commission (DPC) in the past 12 months, ranking sixth highest in the EU and fourth highest based on population.

Impact of Schrems II

The report also highlighted the impact of the landmark Schrems II ruling in July 2020, stemming from privacy advocate Max Schrems’ complaint against Facebook to the DPC.

Ross McKean, chair of the UK data protection and security group at DLA Piper, said this ruling surrounding US-EU data transfers has “established itself as the top data protection compliance challenge for many organisations caught by GDPR”.

The law firm said in its report that the Schrems II judgement doesn’t just create a risk of fines but also threatens service interruptions in the event that data transfers are suspended, which can pose problems for business continuity.

“The Schrems II judgment has effectively shifted the problem and burden of a fundamental conflict of laws from the politicians and lawmakers to individual data exporters and importers,” added Ewa Kurowska-Tober, global co-chair of DLA Piper’s data protection and security group.

“Meeting the requirements of Schrems II is a challenge even for the most sophisticated and well-resourced organisations and is beyond the means of many small and medium-sized enterprises.”

2022 predictions

Looking ahead, DLA Piper predicted that data transfers are not going to stop any time soon as we live in “a hyperconnected world with many cloud vendors based in the US and other third countries”.

The report said there will be a greater reliance on the new Standard Contractual Clauses, but many data transfers are likely to continue without these measures “given the complexity and prevalence of international supply chains and for many organisations the unachievable compliance burden imposed by Schrems II”.

The law firm also predicted further enforcement activity by data regulators across the EU, along with broadening enforcement activity by financial regulators.

“Moreover, businesses can expect to face scrutiny around data transfer compliance in the context of audits, due diligence, procurement processes and other compliance verification exercises.”

Updated, 11.30am, 18 January 2022: A previous version of this article said the top GDPR fines were €746,000 for Amazon and €225,000 for WhatsApp. These were amended to the correct figures of €746m and €225m.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com