Study Discovers “Highly Inflationary Impact” of Decisions by the European Data Protection Board. Last year, the cost of breaking the General Data Protection Regulation (GDPR) in Europe surged, and Big Tech businesses primarily paid the 2.9 billion euros in fines assessed by regulatory bodies.
According to research by the legal firm DLA Piper, over $3.1 billion is more than twice as much as the penalty levied in 2021.
Ireland, where Google, Apple, and Facebook have their European headquarters, set the standard for high-dollar fines by, for instance, fining Facebook 265 million euros in November for a data scraping incident.
The 27 EU member states, including Iceland, Liechtenstein, Norway, and the United Kingdom, have reportedly levied GDPR fines since January 28, 2022, according to DLA Piper, whose topline figure is in the billions of dollars. Before its exit from the European Union in 2018, the U.K. implemented the GDPR into local law.
Since not all European nations publicly provide specifics of every fine and some have yet to release complete data of all fines levied in the previous 12 months, the actual acceptable number is probably significantly higher than DLA Piper’s estimate.
However, the legal firm’s estimate of the number of known fines represents a jump from the 1 billion euros levied in 2021, representing a significant increase from the 159 million euros in fines.
Organizations handling the personal information of Europeans must adhere to severe data protection and breach notification standards under GDPR, effective from May 25, 2018. Organizations risk fines of up to 4% of their annual global revenue or 20 million euros if they fail to comply with GDPR, whichever is higher. Regulators can revoke the authority of an organization to process personal data.
The Irish Data Protection Commissioner issued Facebook’s parent company Meta the biggest single penalty of 405 million euros last year for various alleged breaches of the protection of children’s data. At the time, Instagram decided to appeal the ruling and dispute to determine the fine amount.
According to DLA Piper, the European Data Protection Board, an independent organization of the European Union tasked with ensuring uniformity in GDPR enforcement across member states, is responsible for at least some of the increase in the total amount of fines. According to DLA Piper, no case decided by the EDPB in the previous year resulted in a suggested fine amount ever being decreased. This pattern had a “very inflationary influence” on specific fine amounts.
According to research from DLA Piper, “where penalties were referred to and decided by the EDPB through the GDPR consistent process during 2022. An average 630% rise was required by the EDPB relative to the fine initially proposed by the lead competent authorities.
A law firm analysis also reveals that while fines are rising, the number of violations that are notified to regulators has decreased. GDPR watchdogs in various nations now receive, on average, 300 notifications of data breaches per day, down from 328 warnings per day over the previous 12-month period.
According to the report, “organizations might be becoming more cautious about reporting violations for fear of inspections, fines, and compensation claims,” which is one explanation for the decline.
2023 May Also Be a Bumper Year
Earlier this month, the EDPB gave the Ireland Data Protection Commission the go-ahead to punish Meta’s Facebook division with 210 million euros and Instagram with 180 million euros. Both penalties were substantially higher than what the DPC had initially suggested.
According to lawyers Jonathan Armstrong and André Bywater of the London-based law firm Cordery. The GDPR investigation was based on Meta having “altered the legal basis for processing personal information from consent to the fulfillment of a contract between the user and Meta.” This requires Facebook and Instagram users to agree to the terms and conditions tried to introduce after GDPR took effect to continue using its services.
According to Meta, it will file an appeal with the EDPB and the DPC. Meanwhile, Ireland’s privacy watchdog may be preparing for its legal battle with the EDPB, which it has accused of abusing its authority and undermining the independence of the DPC. The Cordery attorneys claim that the EDPB “effectively tried to direct the DPC to perform a sort of audit of Meta and its data protection processes, including its handling of special category data—also known as sensitive personal data.”
According to the EDPB’s rulings, Meta can only target users with profitable behavioral advertising strategies if they get express authorization. Consequently, some additional IT juggernauts would deal with the same prohibitions.
In light of the issues involved, Ross McKean, head of DLA Piper’s U.K. Data Protection and Cybersecurity Group, predicts years of appeals and litigation. “The law is still not entirely clear on these topics.