Firms pay €114m in first GDPR fines across Europe

The UK, due to leave the EU at the end of January, has enforced GDPR-strength laws

Companies in France, Germany, Austria, Italy and Bulgaria have paid more than €100 million in fines for data breaches since the European Union’s general data protection regulation (GDPR) came into force in May 2018.

Total payments so far are €114m, but that total is likely to soar and the UK’s data protection regulator has threatened fines totalling €329m – though they have not yet been finalised and imposed.

Law firm DLA Piper says the Netherlands reported most data breaches between 25 May 2018, when the GDPR law came into force, and this month, with 40,647 incidents filed. Germany reported 37,636 and the UK 22,181.

The GDPR law covers the European Economic Area (EEA), which includes all 28 Member States of the EU plus Norway, Iceland and Liechtenstein. The UK, due to leave the EU at the end of January, has enforced GDPR-strength laws.

The law firm notes that the UK’s Information Commissioner’s Office (CO) “made global headlines when it announced notices of intent to fine companies from the airline and hospitality industries £183 million (about €213m/$238m) and £99m (about €115m/$129m) respectively for alleged poor security arrangements and failures to carry out appropriate due diligence”, though it points out: “At the time of writing neither of these fines have been finalised”.

The UK ICO “has so far only issued one relatively small fine under GDPR for £275,000 in December 2019 despite having received 22,181 personal data breach notifications to date”, says DLA Piper.

“With over 160,000 data breach notifications having been raised across Europe since GDPR’s implementation, it’s clear that citizens are feeling more empowered to put companies and regulators under pressure to ensure that their rights are respected, whether through individual complaints or group action. But this should not come as a surprise,” said Jean-Michel Franco, Senior Director Data Governance, Talend.


Time is precious, but news has no time. Sign up today to receive daily free updates in your email box from the Data Economy Newsroom.

“With more and more high-profile data privacy violations, breaches and misuse hitting the headlines, consumers are facing a crisis of confidence and distrust is manifesting itself in different displays of resistance.

“Despite having generated €114m in fines to date, the enforcement of GDPR looks to ramp-up over the next year or so with more fines being issued to those that do not comply with the EU regulation.

“Today’s news should serve as a clear warning to UK businesses – big and small – regarding the proper management and governance of the personal data they process.

“Going forward, businesses need to invest in an appropriate data strategy to ensure compliance with the GDPR.

“This not only means having the right systems in place, but also the right teams and resources to appropriately manage the increasing volumes of data being generated.

“A change must also be made culturally, making transparency and trust central pillars within the business, ensuring that they do not take customer data for granted.”

Read the latest from the Data Economy Newsroom: