Share this article on:
A new report from DLA Piper indicates 59,430 data breaches have been reported to EU supervisory authorities since the GDPR compliance deadline of May 25, 2018. The majority of the data breaches have been reported in the Netherlands (15,400), Germany (12,600), and the United Kingdom (10,600).
The Netherlands saw the highest number of breaches per capita, followed by Ireland, and Denmark. It is worth noting that many non-EU companies have registered bases in EU member states and any data breaches experienced by them count toward the total for the country where their European HQ is established. Many non-EU firms, including Google, Facebook, Twitter, and Microsoft, have chosen Ireland for their European base.
Obtaining accurate numbers for data breach reports was a challenge. Official EU figures suggest that there had only been 41,502 data breaches reported between the compliance deadline and January 28, 2019; however, those figures do not include Norway, Iceland, and Lichtenstein, which are not members of the EU but are part of the European Economic Area (EEA). The official figures also only included data breaches reported in 21 of the 28 member states.
The data for the DLA Piper report came from breach notifications filed in 23 EU member states and by EEA members. Data breach reports have not been made public in Bulgaria, Croatia, Estonia, Lithuania, and Slovakia.
The number of data breaches reported so far appears higher than before GDPR came into effect. That does not mean there has been an increase in data breaches, only that more companies are reporting breaches and breaches are also being reported more quickly. GDPR requires breach notifications to be issued within 72 hours of the discovery of a breach.
Financial Penalties for GDPR Violations and Data Breaches
DLA Piper has been tracking GDPR fines since the compliance deadline. To date, 91 financial penalties have been issued. Financial penalties can be issued for any violation of GDPR. In addition to data breaches, GDPR supervisory authorities investigate complaints about privacy violations. It was such a complaint that resulted in the largest GDPR violation penalty issued to date: The €50 million ($57 million) fine for Google issued by the French supervisory authority, CNIL.
The supervisory authorities in Germany have been the most active enforcers of GDPR since the May 25, 2018 compliance deadline. 64 of the 91 fines have been issued in Germany. Those fines include the two largest financial penalties for companies that have experienced data breaches.
The chat platform Cuddles was fined €20,000 ($22,700) by the German Data Protection Authority LfDI for storing users’ passwords in clear text. LfDI also issued an €80,000 ($91,000) financial penalty to an organization that published health information on the internet – The second largest GDPR data breach fine to date.
Only a relatively small number of fines have been issued in relation to data breaches; however, many supervisory authorities are struggling with the volume of breach notices they have received and there is a considerable backlog to get through. Some data breaches reported in 2018 may still result in fines.
DLA Piper notes that the majority of the fines issued to date have been relatively low; much lower than the maximum penalty of €20 million or 4% of global annual turnover, whichever amount is higher. DLA Piper anticipates there will be several fines of tens or even hundreds of millions of euros issued in 2019 once the supervisory authorities have cleared the backlog of data breach reports and GDPR complaints.