EUR 114 million fines dished out over GDPR

Since its implementation in May 2018, the General Data Protection Regulation (GDPR) led to over 160,000 data breach notifications across Europe. French data protection regulator CNIL fined Google EUR 50 million last year, which was the largest penalty for alleged infringements of GDPR.

Ross McKean, a partner at DLA Piper specializing in cyber and data protection, said his firm’s findings showed “we’re still in the very early days” of enforcement. It’s been roughly 20 months since the EU’s new rules were introduced.

“It’s not a huge surprise that we’re seeing a slow start to fines, but there’s more to come,” McKean told CNBC in an interview.

Under GDPR, a company can be fined either EUR 20 million or up to 4% of their annual revenues, whichever is the greater amount. The stakes are considerably high for companies like Google and Facebook, which handle a huge amount of data and make billions of dollars every year.

Authorities have been looking into potential violations of the landmark EU law across the continent. Ireland’s Data Protection Commission has multiple ongoing investigations into GDPR violations, probing a range of big tech companies from Facebook to Apple.

DLA Piper said that the rate of data breach notifications increased almost 13% from the first eight months of GDPR to the current year. The firm notes that not all member states of the EU make their breach notification statistics publicly available and that many only provided figures for part of the period covered by the report.

Cover photo: Getty Images