GDPR critics may have to eat their words following the publication of a new analysis which reveals there have been 648 penalties issued across the EU over the past three years, totalling €283,673,083, with the Italians leading the way on over €70m in penalties.
The study, carried out by the Atlas VPN team, is based on the CMS.Law GDPR Enforcement Tracker and is an update on an analysis by Decision Marketing, published in October last year.
It shows that French regulator CNIL’s €50m fine against Google – issued in 2019 – remains the largest so far but that the Italians are outpacing everyone else on total monetary penalties.
The Italian Data Protection Authority (Garante per la protezione dei dati personali) has issued €76.3m in fines, including telecoms firm TIM and energy company Eni Gas e Luce, which were fined €27.8m and €8.5m respectively. So far, Italian firms have been penalised a total of 77 times.
In third place sits Germany, where GDPR violations have cost companies €49.2m. One of the most significant fines in Germany was recorded in January, when laptop retailer notebooksbilliger.de was fined €10.4m for unlawful video surveillance of staff and customers.
Even though the EU GDPR no longer applies in the UK after Brexit, it has been succeeded by ‘UK GDPR,’ which is virtually the same in all but name.
Meanwhile, Spain has slightly less in the total sum of fines – €29.5m – but has had the most violations. More than one-third of all GDPR penalties (230) have been imposed in Spain.
Atlas VPN cybersecurity researcher William Sword believes that GDPR will only continue to improve in the coming years. He added: “[The regulation] has empowered EU citizens to be more actively involved in what is happening with their data and understand their privacy rights. As for organisations, complying with data protection rules will create a more trustworthy environment between them and consumers.”
GDPR three years on: ‘The aperitif to a cookieless world’
Irish DPC faces new showdown as MEPS vote for action
Exposed: Row over ‘paltry’ Twitter fine threatens GDPR
Marriott hammers down GDPR fine from £99m to £18m
ICO and Irish DPC ‘among the worst GDPR enforcers’
Deceptive data processing sparks biggest GDPR fines
BA ‘humiliates’ ICO by slashing £183m fine to £20m
Germans issue 27th GDPR fine as H&M is hit for €35m
Google hit for €50m as French issue first GDPR fine