What a year for GDPR enforcement: 2021/2022 saw various landmark cases including: a new record fine of EUR 743 million; the total amount of all fines since May 2018 exceeding the EUR 1 billion mark in summer 2021; and the total number of cases passing 1,000 in early 2022. Landmark cases were widely reported, obviously drawing a lot of public attention and increasing overall awareness for data protection law. However, there is a GDPR enforcement reality beyond record fines and it may be worth taking a closer look: focussing solely on severe fines could lead to fear and even reluctance or ignorance on compliance issues.
We still believe that facts are better than fear.
Our continuously updated list of publicly known GDPR fines in the GDPR Enforcement Tracker is our 24/7 remedy against fear: in contrast, the annual GDPR Enforcement Tracker Report ("ET Report") is our deep dive approach and permits greater insight into the world of GDPR fines.
We are pleased that our analysis for this third edition of the ET Report is based on a larger overall data set with more than 1,031 cases.
Numbers & Figures and Enforcement Insights per Business Sector
The third edition again kicks off with the statistical analysis of the existing fines in the "Numbers and Figures" section followed by the tried and tested "Enforcement Insights per Business Sector"
- Finance, insurance, and consulting
- Accommodation and hospitality
- Health care
- Industry and commerce
- Real estate
- Media, telecoms, and broadcasting
- Public sector and education
- Transportation and energy
- Individuals and private associations
as well as the overarching Employment category.
The Enforcement Insights permit first conclusions to be drawn as to which business sectors attracted particularly hefty fines. We have also analysed the DPAs' reasoning for the fines. These aspects together allow us to provide you with key takeaways for each business sector. Apart from the lawfulness of each data processing operation, bolstering data security should remain in the spotlight for every organisation. There are already relevant indications for data protection litigation - in particular, data subjects' claims for material or immaterial damages according to Art. 82 GDPR are on the rise. This trend is unlikely to stop, in particular supported by collective redress mechanisms and legal tech offerings already now increasing the risks of, and resources needed for, data protection claims management.
Local law and practice matter - Enforcement Insights per country
After four years of applying GDPR, we are not the only ones to have learned that, despite the GDPR "full harmonisation" approach, there is virtually no other area that has been shaped more by national laws and official practice than that of GDPR fines. This may be the reason why Spain tops the list of countries with the most fines again this year. Whereas an extended in depth-analysis of the reasons for local deviations would exceed our capacities, we have asked fellow privacy professional in various jurisdictions to provide some background information on the local data protection enforcement landscape (Editor's note: the United Kingdom remains in the ET Report and the Enforcement Tracker as the UK General Data Protection Regulation ensures, at least for now, regulatory consistency regardless of Brexit). An "Enforcement Insights per country" section will be added to the ET Report by the end of June - so stay tuned to learn more about this relevant topic.
Both the ET Report and the Enforcement Tracker are living projects. We highly appreciate any form of feedback (of course, constructive is preferred.) and want to thank everybody who has reached out over the last year.
We have received interesting thoughts, hints on forgotten fines (hidden deep in remote corners of a supposedly completely captured world), and recommendations for additional features (our bucket list is growing steadily), as well as relevant contributions from stakeholders outside the EU. These last demonstrate that the data protection landscape is quickly evolving on a global scale and interfaces between national/regional concepts are developing even in the absence of a global data protection law. We have interacted with peers from the legal profession, and privacy professionals with an advanced tech background, as well as researchers from various disciplines.
To view the full article please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.