At a time when India is grappling with the idea of data protection laws and issues related to its implementation, there is some good news for those who seek such legislation. Since the General Data Protection Regulation (GDPR) came into being about eight months ago, as many as 160,000 breach notifications took place in Europe fetching fines of over $126 million).
A report published by law firm DLA Piper says the highest quantum of fines were imposed by France while Netherlands took the top position in terms of breach notification on a per capita basis. However, Italy with a population of more than 62 million people reported just 1886 breach notifications, suggesting possible laxity in implementation.
The note available on the company website quotes from their GDPR Data Breach Survey to suggest that an additional $364 million in fines have been threatened by the regulation in the United Kingdom. The GDPR came into existence on May 25, 2018, which is the basis for the regulatory regime that India has initiated since in the form of the Data Protection Bill, 2019.
The survey, which covers 28 European Union Member States plus Norway, Iceland and Liechtenstein, says the fines involved a wide range of GDPR infringements that was not just limited to data breaches. While France, Germany and Austria topped the rankings in terms of value, the Netherlands and the UK notified the maximum number of data breaches.
The daily rate of breach notifications has also increased by 12.6% from 247 notifications per day for the first eight months of GDPR from 25 May 2018 to 27 January 2019, to 278 breach notifications per day for the current year, the report said.
From the 27 countries that provided data on breach notifications, the UK, Germany and France ranked thirteenth, eleventh and twenty-third respectively on a reported fine per capita basis. Italy, Romania and Greece reported the fewest number of breaches per capita. Italy, a country with a population of over 62 million people, only recorded 1886 data breach notifications illustrating the cultural differences in approach to breach notification.
The highest GDPR fine to date was $55 million imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent, rather than for data breach. Following two high profile data breaches, the UK ICO published two notices of intent to impose fines in July 2019 totalling $366 million although neither of these were finalised as at the date of this report.
Commenting on the report, Ross McKean, a partner at DLA Piper specialising in cyber and data protection, said: “GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations. The total amount of fines of €114 million imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”
Patrick Van Eecke, chair of DLA Piper’s international data protection practice, said “The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years.”
By the looks of it, the GDPR regime seems to have made both enterprises and consumers aware of the challenges of data privacy. It only remains to be seen how other countries tackle this issue, especially one like India where data doesn’t appear to be a critical component of security for internet users.