The EU’s General Data Protection Regulation hasn’t even been in effect for a year yet but countries in Europe have already reported over 59,000 data breaches since the data privacy law’s inception.
That's according to DLA Piper, a multinational law firm that's based in London but has nearly 40 offices in Europe.
According to a survey carried out by the law firm and released this week, countries like the Netherlands, Germany, there have been 59,430 breaches across Europe in the last eight months; the U.K. toppled the scales at 15,400, 12,600, and 10,600 breaches apiece.
The Netherlands also had the most breaches per capita, followed by Ireland and Denmark while countries like Greece, Italy, and Romania had the fewest per capita.
The report specifically looked at breaches reported to regulators from May 25, the day GDPR went into effect, and January 28 - International Data Protection Day - the holiday held to raise awareness around privacy and data protection best practices.
Far flung countries, like Iceland and Cyprus, along with tiny Liechtenstein, Europe's fourth smallest country (after Vatican City, Monace, and San Marino) had the fewest breaches: 25, 35, and 15 respectively.
Only a fraction of those breaches actually resulted in fines however. The report claims there have been 91 fines imposed since GDPR went into effect, the largest coming in December when Germany’s State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) levied a €20,000 fine against a social media company for failing to hash passwords. Instead the company stored them in plain text, something that ultimately triggered a fine after a hacker managed to make off with 330,000 passwords and e-mail addresses.
DLA Piper makes a point in the report to explain why its numbers don’t exactly match up with those published by the European Commission (.PDF) last month. In a statement released by the European Commission on January 25 it said there have been 41,502 data breaches reported since May 25. The lawfirm contends that these results only take into account voluntary contributions of 21, not all 28, EU member states and that its report is based on 23 of 28 EU member states, plus Norway, Iceland, and Lichtenstein.
Going forward, it remains to be seen if we see fines as eye-popping as the one France’s data protection regulator, CNIL, imposed on Google last month. CNIL fined the company $57M for failing to comply with GDPR, specifically for not obtaining user consent to process data for ad personalization.
“It is likely that regulators and courts will look to EU competition law and jurisprudence for inspiration when calculating GDPR fines and some regulators have already said they will do so. Competition lawyers are not known to shy away from imposing hefty fines and have imposed some eye-catching multi-billion Euro fines recently on large tech companies,” DLA Piper wrote in the report.
Having a data-centric data protection strategy, can be key to demonstrating GDPR compliance and ensuring the data of EU citizens can be protected at rest, in use, and in motion.
