Site navigation

European Authorities Have Fined Firms €114 Million Under GDPR

Duncan MacRae



France has imposed the highest fines to date, while per capita the Netherlands tops the rankings for breach notifications.

European data protection regulators have imposed €114 million (£97 million) in fines under the GDPR, which came into effect on the 25th of May 2018.

This is one of the key findings from GDPR Data Breach Survey conducted by law firm DLA Piper, which has an office in Edinburgh.

A further €329 million (£281 million) in fines have been threatened by UK regulator, the Information Commissioner’s Office (ICO).

More than 160,000 data breach notifications have been reported across the 28 European Union Member States plus Norway, Iceland and Liechtenstein.

France, Germany and Austria topped the rankings for the total value of GDPR fines imposed with just over €51 million (£43.5 million), €24.5 million (£21 million) and €18 million (£15 million) respectively. The Netherlands, Germany and the UK topped the table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 notifications each.

The daily rate of breach notifications has also increased by 12.6% from 247 notifications per day for the first eight months of GDPR from 25 May 2018 to 27 January 2019, to 278 breach notifications per day for the current year.

Weighting the results against country populations, the Netherlands again come top with 147.2 reported breaches per 100,000 people, up from 89.8 per 100,000 people last year, followed by Ireland and Denmark. From the 27 countries that provided data on breach notifications, the UK, Germany and France ranked thirteenth, eleventh and twenty-third respectively on a reported fine per capita basis. Italy, Romania and Greece reported the fewest number of breaches per capita. Italy, a country with a population of over 62 million people, only recorded 1886 data breach notifications illustrating the cultural differences in approach to breach notification.

The highest GDPR fine to date was €50 million (£43 million) imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent, rather than for data breach. Following two high profile data breaches, the UK ICO published two notices of intent to impose fines in July 2019 totalling £282 million (€329 million) although neither of these were finalised as at the date of this report.


Ross McKean, a partner at DLA Piper specialising in cyber and data protection, said: “GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations.

“The total amount of fines of €114 million imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”

Patrick Van Eecke, chair of DLA Piper’s international data protection practice, said: “The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years.”

Not all Member States of the European Economic Area make breach notification statistics publicly available. Many have only provided statistics for part of the period covered by DLA Piper’s report. Similarly not all GDPR fines are publicly reported.

Duncan MacRae


Latest News

%d bloggers like this: