European data regulators issued €1.1 billion in GDPR fines in 2021

Euro currency symbol displayed on a screen with European Union flag
(Image credit: Getty Images)

European data regulators issued €1.1 billion (£920 million) in GDPR fines last year, a 585% increase compared to 2020.

This is according to international law firm DLA Piper, which surveyed 27 EU member states, as well as the UK, Norway, Iceland, and Liechtenstein.

The survey identified an 8% increase in GDPR breach notifications from 2020’s average of 331 notifications per day to 356 in 2021.

Since 28 January 2021, there have been over 130,000 notified personal data breaches in total, with the Netherlands having the most breach notifications per 100,000 people respectively. On the other end of the spectrum, Croatia, the Czech Republic, and Greece reported the fewest number of breach notifications per capita.

Luxembourg issued the highest individual GDPR fine in 2021 with its €746 million fine levied against Amazon. It followed by Ireland and its €225 million fine imposed against WhatsApp, and France with its €50 million fine against Google.

The UK came in sixth place with the £20 million fine imposed on British Airways for losing the financial and personal details of around 380,000 customers in a cyber attack in September 2018. Since the implementation of GDPR, the UK has reported 40,026 personal data breach notifications, with 8,355 being reported in 2020 and 9,490 in 2021 – a 13.6% increase in one year.

DLA Piper’s survey also identified Schrems II, based on the 2020 ruling of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, as the most common GDPR compliance challenge for organisations.

The case was originally brought by privacy activist Max Schrems, who claimed that Facebook was unjustified in its use of so-called ‘standard contractual clauses’ for the transfer of data between its EU headquarters and its US base in Silicon Valley. On 16 July 2020, the European Court of Justice decided that the data transfer mechanism known as Privacy Shield was unable to protect EU residents' data from extensive US surveillance mechanisms, making it no longer valid under GDPR.


Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools


Commenting on the survey findings, Ross McKean, chair of the UK Data Protection and Security Group said that although the nearly sevenfold increase in fines may grab the headlines, it’s Schrems II that “has established itself as the top data protection compliance challenge for many organisations caught by GDPR.”

According to DLA Piper’s survey, the most common implications of the Schrems II judgment aren’t limited to fines and claims for compensation, but also service interruption caused by the suspension of data transfers, which McKean described as “much more damaging and costly”.

“The focus on transfers and the significant work required to achieve compliance inevitably means that organisations have less time, money and resources to focus on other privacy risks,” he added.

Sabina Weston

Having only graduated from City University in 2019, Sabina has already demonstrated her abilities as a keen writer and effective journalist. Currently a content writer for Drapers, Sabina spent a number of years writing for ITPro, specialising in networking and telecommunications, as well as charting the efforts of technology companies to improve their inclusion and diversity strategies, a topic close to her heart.

Sabina has also held a number of editorial roles at Harper's Bazaar, Cube Collective, and HighClouds.