When Viviane Reding (MEP and former vice-president of the European commission) proposed the GDPR in 2012, she said that, “reform will restore trust in digital services today, thereby reigniting the engine for growth tomorrow.” Statistics suggest that since the GDPR was implemented in 2018, regulators have toughened up on GDPR violations and the appetite to do so is seemingly still growing.
It is noteworthy that the sum and number of GDPR penalties have been on an upward trajectory since the GDPR was implemented in 2018. GDPR fines went from €436k in 2018, to €72 million in 2019 and then up to €171 million in 2020. According to Atlas VPN, GDPR fines skyrocketed even more in 2021 with 412 penalties that, for the first time ever, collectively totalled over €1 billion. This is a staggering 521% increase since 2020 and it has set alarm bells ringing.
While the rise in the total penalties was eye-watering in 2021, the increase in the actual number of penalties issued was also notable, but by no means incomparable to previous years. Last year was unprecedented because of two fines in particular:
- The National Commission for Data Protection in Luxembourg fined Amazon €746 million for its use of customer data for advertisements (see our earlier article on this here). This represented the largest fine issued to date under the GDPR.
- The Data Protection Commission in Ireland fined WhatsApp Ireland €225 million for breaching various cross-border and data privacy standards. This fine was the outcome of a lengthy three year investigation that started back 2018. It is the second highest fine to have ever been issued under the GDPR.
Together, these two fines come to a sizeable €971million and on their own, they make up 97% of all fines issued in 2021. If we take these two fines out of the equation, the figures from 2021 are far less spectacular.
From the outset and throughout 2021, Spain, Italy, Romania, Hungary and Norway proved themselves to be the most active member states based on the number of GDPR fines they issued. However, CNIL issued some of the highest fines in 2021, as it had in previous years. In December 2021, CNIL issued a fine for €90 million against Google LLC, €60 million against Google Ireland Ltd and €60 million against Facebook Ireland Ltd. The figures from 2021 were rather consistent in this respect.
Interestingly, the two highest GDPR fines in 2021 were issued by DPAs that have, until recently, been considered rather inactive with issuing fines. Ireland has in the past been criticised for being under resourced and failing to issue fines quickly enough. Leading tech companies such as Apple, Google, and Twitter, set up their main establishments in Ireland, making use of the DPC as their lead supervisory authority. Luxembourg and Ireland went from being two of the most inactive member states, to the two fiercest in the EU.
While analysing 2021, it is also important to note that we have over the years seen an increasing number of companies appeal penalties and significantly lower their fines. In 2020, 1&1 Telecom GmbH was the first litigant to successfully challenge a GDPR fine. It managed to reduce its fine for €9.55 million by more than 90%, down to €900,000. In the same year, British Airways appealed and reduced its fine from the ICO from £183 million, down to £20 million. Companies have become a lot less reluctant to challenge penalties and it will be interesting to see how Amazon and WhatsApp Ireland challenge their fines and how 2021 will look in years to come when the figures have been subject to an appeals process.
Only time will tell just how much the GDPR will restore trust in digital services, but if we can take anything from 2021, it is that we must keep igniting the engine for better data protection, or risk paying the price.