European data protection rules are growing stricter – and more companies are falling foul of them.
When the European Union’s General Data Protection Regulation (GDPR) was introduced in 2018, it was designed to harmonize data privacy laws across European states and to ensure that the sanctity and security of individual users’ electronic data was kept safe. Since then, it’s managed to bring the wild west of big tech to heel and has proven the model for plenty of other data protection laws worldwide, including California’s own consumer privacy act, which follows in its footsteps.
The GDPR has had a significant effect, making the digital world safer for those who use it every day, and instilling in the principles and business models of many companies a basic idea for the importance of making sure people’s data isn’t abused, and is properly and proportionately deployed to provide services that are useful to them.
But of course, four years on, companies still fall foul of the GDPR rules. For every firm that has carefully conducted impact assessments and ensured they don’t put a foot wrong in enacting and utilizing people’s personal data, there are other companies that are less stringent in what they do. And the number of companies – falling foul of GDPR – and the fines they’re given are increasing over time.
2021 was a record year
Throughout the last 12 months, more than 400 fines were issued by the European Union for breaches of the GDPR, totaling more than €1 billion in all. That’s up a staggering 521% on the previous year when just €171 million of fines were issued by the European Union for mishandling data. In part, the increase can be attributed to the types of companies that were fined, and the reasons they were. Companies like Amazon and WhatsApp had to pay off the most significant penalties for violating GDPR laws, and their large user numbers mean that they bumped up the total.
Indeed, Amazon Europe Core S.a.r.l was a contributor of nearly 75% of the fine total for a single issue. In July 2021, it was fined €746 million. In September, WhatsApp Ireland Limited was slapped with a €225 million fine.
“GDPR continues to successfully hold businesses accountable when they misuse people’s data or are ambiguous about their privacy policies,” says Vilius Kardelis at Atlas VPN. “Companies became more responsible when handling their client information to avoid hefty fines from regulators, ultimately benefiting every EU citizen.”
Who was the worst?
Of all the fines levied for GDPR breaches since the GDPR was introduced, the lion’s share of them was targeted at companies based in Spain. The country’s businesses saw 351 fines, resulting in nearly €37 million of penalties. Italy came second in terms of the number of companies fined, with 101 fines requiring businesses to pay nearly €90 million. The average penalty in Italy stood at about €887,000 - one of the largest compared to other countries, according to Atlas VPN which analyzed the amounts. Romania came third for the number of fines, with 68 sanctions in total over the period of the GDPR.
It’s an indication of how important and central the GDPR has become to the world of tech that the value and number of fines have increased over time since the implementation of the regulation in 2018. In the first year that the GDPR came into force, just €436,000 of fines were levied. That had increased to €72 million by the following year. The message for companies is clear: make sure you follow all the rules around data handling and don’t forget the importance of keeping people’s information safe – otherwise, you may be hit with a big financial penalty.