EUR1 billon in GDPR fines issued by Data Protection Commission last year

Global law firm DLA Piper has today published the findings of its annual GDPR and Data Breach Survey. The Europe-wide survey has revealed another record year with a 168% year-on-year increase in the total value of fines issued across Europe.

Among the largest fines levied were those against Meta Platforms Ireland Ltd. (Meta) highlighting that social media, and its reliance on extensive processing of personal data, has been a particular focus of regulatory action. Several of the largest fines imposed against Meta this year by the Irish DPC relate to Facebook and Instagram’s behavioural profiling of users and whether the lawful basis of “contract necessity” can be used to legitimise the mass harvesting of personal data.

While the Irish DPC originally concluded that this was possible, the influential European Data Protection Board disagreed. The resulting fines raise serious questions about the grand bargain struck between consumers and service providers, and how “free” online services will be funded going forward. Given what is at stake, DLA Piper expects these decisions to be appealed, sparking years of subsequent litigation.

The survey also reveals a year which saw the volume of data breaches notified to supervisory authorities decrease slightly against the previous year’s total. The average daily total dropped from 328 notifications per day to 300 per day this year. This may in part be a sign that organisations are becoming warier of notifying data breaches to regulators for fear of investigations, fines and compensation claims.

While personal data issues around advertising and social media have dominated headlines this year, there is a growing focus on Artificial Intelligence (AI), and the role of personal data used to train AI. Most prominently this year multiple investigations into facial recognition company Clearview AI took place following complaints by digital rights organisations, including Max Schrems’s organisation My Privacy is None of your Business (NOYB) with several resulting fines issued. As AI and machine learning platforms become ubiquitous, the survey predicts more regulatory investigations and enforcement for the year ahead with a focus on both providers and users of AI.

The survey also reports some notable decisions made by data protection supervisory authorities this year considering the application of the Schrems II and Chapter V GDPR requirements to specific international transfers of personal data. Data protection supervisory authorities have argued that it is not possible to adopt a risk-based approach when assessing transfers of personal data to “third countries”, in essence arguing that transfers are prohibited if the mere possibility of foreign governmental access gives rise to any risk of harm (however trivial and however unlikely).

John Magee, Partner and Head of Data Protection, Privacy & Information Security at DLA Piper Ireland, commented on the report: “2022 was a significant year for Ireland’s Data Protection Commission. The Irish regulator issued fines amounting to more than one billion euro throughout the year meaning the DPC is now top of the European table in terms of the total value of fines issued for GDPR violations.

It is clear from activity throughout the year that the GDPR’s consistency mechanism, which was put in place to ensure that EU data protection law is enforced uniformly across all member states, has resulted in a tougher approach being taken by the DPC. While most of the larger headline-grabbing fines have been levied against social media companies, the DPC is increasingly looking at organisations from all sectors so businesses across the board would be well advised to get their house in order to avoid sanctions.”

“This year’s report also found that the average number of notified data breaches per day – both in Ireland and across Europe – fell for the first time since GDPR came into force in 2018. With data protection enforcement on the rise, it is probably no coincidence that organisations are increasingly cautious around when and how they report data breaches to regulators.  The fear of investigations, fines and compensation claims is likely driving what is a small but significant reduction in breach reporting numbers.” concluded Magee.