There have been more than 59,000 personal data breaches reported to European data protection regulators in the first eight months following the enforcement of GDPR. From available data, the precise figure is calculated at 59,430.
Global law firm DLA Piper compiled the details from statistics made available by the different European regulators. It found that the greatest number of reported breaches occurred in the Netherlands (15,400), followed by Germany (12,600) and the UK (10,600).
To an extent, this is to be expected since these are among the more populated countries of Europe. It’s a slightly different picture when the reported breaches are ranked by population density. Netherlands still heads the list with 89.8 breaches per 100,000 people, but is now followed by Ireland (74.9) and Denmark (53.3). The UK and Germany drop down to tenth and eleventh positions with 16.3 and 15.6 respectively.
DLA Piper suggests that companies are heeding “the new breach notification rules, no doubt in part due to concerns about the high sanctions for not notifying,” Many of the notifications are likely to be trivial, with single emails being sent to the wrong person; but the result is clearly stretching the resources of the regulators.
“Inevitably,” says the report, “the larger headline grabbing breaches have taken priority when allocating resources, so many organizations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified.” Notably among chosen investigations, CNIL in France chose to investigate complaints against Google, with the subsequent €50 million fine being by far the largest levied so far.
“So far,” reports DLA Piper, “the level of fines have been low, certainly when compared to the maximum fines regulators now have the power to impose. However, we anticipate that 2019 will see more fines for tens and potentially even hundreds of millions of Euros as regulators deal with the backlog of GDPR data breach notifications.”
It is likely, suggest the lawyers, that the regulators and courts will use European competition law and jurisdiction when setting the level of future fines. If this happens, it is likely we will eventually see “some eye-catching multi-billion Euro fines”. However, this is not certain. Legal commentators in Germany have argued that the application of competition law principles to GDPR fines would violate the principles of legality and proportionality demanded by the European Charter of Fundamental Rights, and that local procedural rules should be applied.
This would lead to lower fines; and DLA Piper expects early test cases by regulators trialing the limits of their new powers.
The report tells us little about how the regulators will enforce GDPR going forward. Companies waiting to see what happens will have to wait a bit longer, although the consensus is that there will be major fines levelled during 2019. However, there is a further complication that has received little media attention that could yet have major implications for UK companies, and U.S. companies headquartered in the UK, trading with Europe following Brexit.
The UK’s Data Protection Act 2018 (DPA) is touted as the UK implementation of GDPR. It is claimed to ensure that the UK will have data protection equivalence with the EU after Brexit. However, at least one leading privacy expert doubts this. Chris Pounder is director at Amberhawk Training and Amberhawk Associates. Prior to that he was with law firm Pinsent Masons, and has advised the Ministry of Justice on its approach to GDPR in the field of law enforcement.
Pounder believes that the EU will find the DPA 2018 lacking. His concern goes back to the earlier DPA 1998 (the UK’s implementation of the EU Data Protection Directive). The EC had a long running infringement notice against the UK — and Pounder fears this will be repeated with GDPR.
In a blog posted Wednesday (Feb. 6) he describes his failed attempts to get an answer through freedom of information requests. However, he did receive the minutes of a meeting between the European FoI ombudsman and the EC discussing one of his requests. It includes, “However, the infringement procedure is still open since one of the issues remains unresolved and also constitutes a concern under the GDPR.”
He comments, “I cannot see the UK being determined as being ‘adequate’, if the Commission were thinking of infraction proceedings if the UK would have remained a Member State of the European Union.” The danger is that what might have been treated as an infringement notice with the UK as part of the EU will turn into simple rejection after the UK leaves the EU.
In short, there is the potential for UK companies — and foreign companies headquartered within the UK — to fully conform to what they believe to be GDPR only to find themselves still targeted by EU regulators as being non-compliant with GDPR post-Brexit.