Fines for violations of the European Union’s landmark privacy law have soared nearly sevenfold in the past year, according to new research.
EU data protection authorities have handed out a total of $1.25 billion in fines over breaches of the bloc’s General Data Protection Regulation since Jan. 28, 2021. Law firm DLA Piper said in a report published Tuesday. That’s up from about $180 million a year earlier.
Notifications of data breaches from firms to regulators climbed more modestly, by 8% to 356 a day on average.
GDPR has been in force since 2018. The sweeping changes to EU’s data rules are aimed at giving consumers in Europe more control over their information.
Companies are required to obtain clear consent from users before processing their details. And firms must notify authorities about any data breach within 72 hours of first becoming aware of it.
Failure to comply can result in potentially hefty fines — namely, up to 4% of a company’s annual global revenues. Or 20 million euros ($22.8 million), whichever is the bigger amount.
“GDPR has certainly been effective in making everyone sit up and listen to data protection law and data protection enforcement,” Ross McKean, chair of DLA Piper’s U.K. data protection and security group said.
McKean says a major “headache” for organizations going forward is legal uncertainty surrounding EU-U.S. data transfers.
In addition to increased legal uncertainty, McKean says he expects to see further appeals of GDPR fines emerge in 2022.