Leading privacy organisation NOYB – fronted by big tech nemesis Max Schrems – has questioned to political will to enforce GDPR after a new analysis reveals that just 1.3% of cases that have been investigated by data protection authorities have resulted in a monetary penalty.
NOYB argues that when GDPR came into force in May 2018, it promised a shift towards a serious approach to data protection. European consumers affected by privacy violations were given the necessary tools to complain to their national data protection authorities, which in turn, were equipped with the necessary powers to investigate all kinds of breaches and issue administrative fines to prevent similar offences in the future.
However, this has mostly been wishful thinking, according to a new NOYB analysis of statistics on all authorities’ activity between 2018 and 2023, which shows that most cases are dragged out over multiple years, before they are closed with a settlement or entirely thrown out.
Schrems said: “European data protection authorities have all the necessary means to adequately sanction GDPR violations and issue fines that would prevent similar violations in the future. Instead, they frequently drag out the negotiations for years – only to decide against the complainant’s interests all too often.”
While some data protection authorities impose far more fines than others, the figures are all in the single-digit percentage range – or even lower. Having imposed fines in 6.84% of all cases (counting both complaints and own-initiative investigations) between 2018 and 2023, the Slovakian DPA is leading the statistics. It is followed by Bulgaria (4.19%), Cyprus (3.12%), Greece (2.65%) and Croatia (2.54%).
At the other end of the spectrum, the Dutch authority has issued fines in 0.03% of all cases, closely followed by France (0.10%), Poland (0.18%), Finland (0.21%), Sweden (0.25%) and Ireland (0.26%). The remaining countries are somewhere in between.
NOYB claims this apparent lack of serious consequences for breaches of the law seems to be very specific to data protection.
It cites Spain as an example: in 2022, the Spanish DPA received 15,128 complaints, but issued only 378 fines. This means that, statistically, only 2.5% of all complaints ended in a fine. This includes obvious breaches such as unanswered access requests or unlawful cookie banners, which could – in theory – be dealt with quickly and in a standardised manner.
By way of comparison 3.7 million speeding tickets were issued in Spain in 2022 (excluding the Basque Country and Catalonia). A similar comparison can be made for any other EU Member States.
Schrems: “Somehow it’s only data protection authorities that can’t be motivated to actually enforce the law they’re entrusted with. In every other area, breaches of the law regularly result in monetary fines and sanctions. At the moment, DPAs often seem to be acting in the interests of companies rather than the people concerned.”
A separate NOYB survey among data protection professionals shows that it is precisely monetary fines that motivate companies to comply with the law. When asked about the most effective enforcement measures, 67.4% of respondents said that DPA decisions against their own company that include a fine will influence decision makers to opt for more compliance. Interestingly, 61.5% of respondents said that even DPA fines against other organisations would influence their own company’s GDPR compliance.
Interestingly, between 2018 and 2023, all EU data protection authorities imposed a combined total of €4.29bn in fines – of which 40% (€1.69bn) resulted from litigation by NOYB.
The report concludes: “In reality, there is a lack of political willpower to stand up against tech giants rather than a lack of possibilities to act.”
Related stories
Mass GDPR complaints force Meta to pause AI data grab
Meta’s mega AI data grab sparks mass GDPR complaint
Germans back fight against ChatGPT data inaccuracies
Industry in peril as Schrems declares war on ChatGPT
Brussels blows ‘pay or consent’ models out of the water
Meta hit by double whammy over ‘illegal’ data practices
Meta ad-free service faces data protection showdown
Be the first to comment on "Revealed: Just 1.3% of GDPR investigations lead to fine"