EU regulators have slapped businesses with an estimated €114m (£97.29m) in fines for data leakage or crappy practices since GDPR was introduced in May 2018, although bigger numbers are expected in future penalties.
Regulators in France, Germany, and Austria reported the biggest fines so far, according to a report by law firm DLA Piper. More than 160,000 breaches have been reported across EU member states plus Norway, Iceland and Liechtenstein. The latter three are all members of the European Economic Area but not full EU members.
France was responsible for the heftiest financial penalty, hitting Google with a €50m bill for infringement of the transparency principle and lack of valid consent.
The Netherlands reported the largest number of offenders, with 40,647 breaches notified to regulators. Germany came in second with 37,636 notifications, and Britain came in third with 22,181.
The UK's Information Commissioner's Office has already announced its intention to fine British Airways £183m for computer attacks that exposed 500,000 customers' data last year, and hotel chain Marriott £99m over a cyber attack in which hackers stole the record of 339 million guests.
GDPR was established to protect privacy by imposing restrictions on how companies use and protect customers' data. The legislation gave regulators the power to fine companies as much as 4 per cent of global annual revenues for serious violations.
The fines so far are small in comparison to the EU's anti-trust cases, which last year alone stung Google with a record €4.3bn fine over the Android mobile OS. Yet GDPR fines are likely to rise as they establish legal precedents, according to Ross McKean, a partner at DLA Piper specialising in cyber and data protection.
"The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement," he said in a statement. "We expect to see momentum build with more multimillion-euro fines being imposed over the coming year as regulators ramp up their enforcement activity." ®
Sponsored: Webcast: Ransomware has gone nuclear