IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

European data regulators issued €1.1 billion in GDPR fines in 2021

The UK placed sixth on the GDPR fine table with its £20 million fine levied against British Airways

European data regulators issued €1.1 billion (£920 million) in GDPR fines last year, a 585% increase compared to 2020. 

This is according to international law firm DLA Piper, which surveyed 27 EU member states, as well as the UK, Norway, Iceland, and Liechtenstein.

The survey identified an 8% increase in GDPR breach notifications from 2020’s average of 331 notifications per day to 356 in 2021.

Since 28 January 2021, there have been over 130,000 notified personal data breaches in total, with the Netherlands having the most breach notifications per 100,000 people respectively. On the other end of the spectrum, Croatia, the Czech Republic, and Greece reported the fewest number of breach notifications per capita.

Luxembourg issued the highest individual GDPR fine in 2021 with its €746 million fine levied against Amazon. It followed by Ireland and its €225 million fine imposed against WhatsApp, and France with its €50 million fine against Google. 

The UK came in sixth place with the £20 million fine imposed on British Airways for losing the financial and personal details of around 380,000 customers in a cyber attack in September 2018. Since the implementation of GDPR, the UK has reported 40,026 personal data breach notifications, with 8,355 being reported in 2020 and 9,490 in 2021 – a 13.6% increase in one year.

DLA Piper’s survey also identified Schrems II, based on the 2020 ruling of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, as the most common GDPR compliance challenge for organisations.

The case was originally brought by privacy activist Max Schrems, who claimed that Facebook was unjustified in its use of so-called ‘standard contractual clauses’ for the transfer of data between its EU headquarters and its US base in Silicon Valley. On 16 July 2020, the European Court of Justice decided that the data transfer mechanism known as Privacy Shield was unable to protect EU residents' data from extensive US surveillance mechanisms, making it no longer valid under GDPR.

Related Resource

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Whitepaper front coverDownload now

Commenting on the survey findings, Ross McKean, chair of the UK Data Protection and Security Group said that although the nearly sevenfold increase in fines may grab the headlines, it’s Schrems II that “has established itself as the top data protection compliance challenge for many organisations caught by GDPR.”

According to DLA Piper’s survey, the most common implications of the Schrems II judgment aren’t limited to fines and claims for compensation, but also service interruption caused by the suspension of data transfers, which McKean described as “much more damaging and costly”.

“The focus on transfers and the significant work required to achieve compliance inevitably means that organisations have less time, money and resources to focus on other privacy risks,” he added.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download


Senator reintroduces federal data protection bill
data protection

Senator reintroduces federal data protection bill

17 Jun 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Costa Rica declares state of emergency following Conti ransomware attack

Costa Rica declares state of emergency following Conti ransomware attack

10 May 2022
16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022