European data regulators issued EUR 1.64 billion in GDPR fines last year – a 50% increase on the previous year, according to global law firm DLA Piper

Global law firm DLA Piper publishes the 2023 edition of its annual GDPR and Data Breach survey revealing total fines issued for a wide range of GDPR infringements and the league table of fines issued by country since January 28th 2022. The survey covers all 27 Member States of the European Union, plus the UK, Norway, Iceland and Liechtenstein.

• European data protection supervisory authorities have issued EUR1.64 billion since 28 January 2022, a 50% increase against the previous year

• This year’s highest fine of EUR 405 million was imposed by the Irish Data Protection Commissioner against Meta Platforms Ireland Limited relating to Instagram for various alleged failures to protect children’s personal data.

• The average number of notified data breaches per day fell slightly from 328 notifications per day to 300 notifications per day suggesting that organisations might be becoming warier of notifying breaches for fear of investigations, fines and compensation claims. The Netherlands remains at the top of the table for the number of breach notifications made per 100,000 capita

• Luxembourg remains at the top of the country league table for the highest GDPR fine imposed since 25 May 2018: a fine of EUR 746 million. But Ireland is catching up, taking the 2nd, 3rd, 4th, 5th and 6th places in the country fines league table after a very busy year for the DPC

Global law firm DLA Piper has today published the findings of its annual GDPR and Data Breach Survey. The Europe-wide survey has revealed another record year with a 50% year on year increase in the total value of fines issued across Europe.

Among the largest fines levied were those against Meta Platforms Ireland Ltd. (Meta) demonstrating that social media, and its reliance on extensive processing of personal data, have been a particular focus of regulatory action. Several of the largest fines imposed against Meta this year by the Irish DPC relate to Facebook and Instagram’s behavioral profiling of users and whether the lawful basis of “contract necessity” can be used to legitimise the mass harvesting of personal data.  While the Irish DPC originally concluded that this was possible, the influential European Data Protection Board disagreed. The resulting fines raise serious questions about the grand bargain struck between consumers and service providers, and how “free” online services will be funded going forward. Given what is at stake, DLA Piper expects these decisions to be appealed and years of subsequent litigation.

The survey also reveals a year which saw the volume of data breaches notified to supervisory authorities decrease slightly against the previous year’s total. The average daily total dropped from 328 notifications per day to 300 per day this year. This may in part be a sign that organisations are becoming more wary of notifying data breaches to regulators for fear of investigations, fines and compensation claims.

While personal data issues around advertising and social media have dominated headlines this year, there is a growing focus on Artificial Intelligence, and the role of personal data used to train AI. Most prominently this year multiple investigations into facial recognition company Clearview AI took place following complaints by digital rights organisations, including Max Schrems’s organisation My Privacy is None of your Business (NOYB) with several fines issued. As AI and machine learning platforms continue to become more ubiquitous, the survey predicts more regulatory investigations and enforcement for the year ahead with a focus on both providers and users of AI.

The survey also reports some notable decisions made by data protection supervisory authorities this year considering the application of the Schrems II and Chapter V GDPR requirements to specific international transfers of personal data. Data protection supervisory authorities have argued that it is not possible to adopt a risk-based approach when assessing transfers of personal data to “third countries”, in essence arguing that transfers are prohibited if the mere possibility of foreign governmental access gives rise to any risk of harm (however trivial and however unlikely).

Commenting on the survey, Irina Macovei, Counsel at DLA Piper said: “DLA Piper’s annual survey is a key tool for privacy professionals to understand trends in enforcement of data protection – as disappointing or intriguing such trends may be – and a great support tool in communicating effectively such trends to key stakeholders. It is an overview that shows, time and time again, that national particularities must always be factored in, although we refer to a EU regulation”.

“I am particularly worried about the absolutist interpretation of GDPR’s data transfer rules exhibited by certain supervisory authorities over the course of last year” added Andrei Stoica, Senior Associate. “Not only does this approach arguably collide with the proportionality principle under EU law, but it may also hinder the legitimate flow of information from and to Europe, discourage innovation and ultimately slow down progress. I certainly hope that 2023 will see a shift in attitude towards such transfers.”

About DLA Piper

DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Americas, Europe, the Middle East, Africa and Asia Pacific, positioning us to help clients with their legal needs around the world.