Study shows a seven fold increase, with Big Tech firms paying most of the money

Fines for violations of the EU’s General Data Protection Regulation (GDPR) soared over the past year. This is according to a report by DLA Piper.

EU data protection authorities have levied $1.25 billion in fines over breaches of the GDPR in 2021. That’s up from about $180 million a year earlier, according to the report.

The $1.25 billion figure is taken from the law firm’s latest annual GDPR Fines and Data Breach Survey. The survey studied the actions of the 27 European Union Member states plus the UK, Norway, Iceland and Liechtenstein.

Notifications of data breaches from firms to regulators climbed more modestly, by 8% to 356 a day on average.

This year Luxembourg and Ireland moved up the table, both imposing record-breaking fines. They replaced Italy and Germany in the top two spots.

Punching above their weight: the biggest fine was levied by tiny Luxembourg

The highest GDPR fine to date is the one imposed by the Luxembourg National Commission for Data Protection (CNDP). That fine was for EUR 746 million on a US online based retailer. This marks the biggest fine so far for non-compliance with the GDPR. This is more than 14 times higher than the previous largest GDPR fine of EUR 50 million. That fine was imposed by France’s CNIL on Google.

According to the survey findings, the Schrems II judgement doesn’t just create a risk of fines and claims for compensation; it also threatens service interruption in the event data transfers are suspended with serious implications for business continuity.

The report quotes Ross McKean, Chair of the UK Data Protection and Security Group. “The threat of suspension of data transfers is potentially much more damaging and costly than the threat of fines and compensation claims,” he said.