IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

European data regulators issued €1.1 billion in GDPR fines in 2021

The UK placed sixth on the GDPR fine table with its £20 million fine levied against British Airways

European data regulators issued €1.1 billion (£920 million) in GDPR fines last year, a 585% increase compared to 2020. 

This is according to international law firm DLA Piper, which surveyed 27 EU member states, as well as the UK, Norway, Iceland, and Liechtenstein.

The survey identified an 8% increase in GDPR breach notifications from 2020’s average of 331 notifications per day to 356 in 2021.

Since 28 January 2021, there have been over 130,000 notified personal data breaches in total, with the Netherlands having the most breach notifications per 100,000 people respectively. On the other end of the spectrum, Croatia, the Czech Republic, and Greece reported the fewest number of breach notifications per capita.

Luxembourg issued the highest individual GDPR fine in 2021 with its €746 million fine levied against Amazon. It followed by Ireland and its €225 million fine imposed against WhatsApp, and France with its €50 million fine against Google. 

The UK came in sixth place with the £20 million fine imposed on British Airways for losing the financial and personal details of around 380,000 customers in a cyber attack in September 2018. Since the implementation of GDPR, the UK has reported 40,026 personal data breach notifications, with 8,355 being reported in 2020 and 9,490 in 2021 – a 13.6% increase in one year.

DLA Piper’s survey also identified Schrems II, based on the 2020 ruling of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, as the most common GDPR compliance challenge for organisations.

The case was originally brought by privacy activist Max Schrems, who claimed that Facebook was unjustified in its use of so-called ‘standard contractual clauses’ for the transfer of data between its EU headquarters and its US base in Silicon Valley. On 16 July 2020, the European Court of Justice decided that the data transfer mechanism known as Privacy Shield was unable to protect EU residents' data from extensive US surveillance mechanisms, making it no longer valid under GDPR.

Related Resource

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Whitepaper front coverDownload now

Commenting on the survey findings, Ross McKean, chair of the UK Data Protection and Security Group said that although the nearly sevenfold increase in fines may grab the headlines, it’s Schrems II that “has established itself as the top data protection compliance challenge for many organisations caught by GDPR.”

According to DLA Piper’s survey, the most common implications of the Schrems II judgment aren’t limited to fines and claims for compensation, but also service interruption caused by the suspension of data transfers, which McKean described as “much more damaging and costly”.

“The focus on transfers and the significant work required to achieve compliance inevitably means that organisations have less time, money and resources to focus on other privacy risks,” he added.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022