Just three European countries account for nearly three-fifths of reported data breaches since GDPR came into force in May 2018, with residents of companies operating out of the Netherlands, Germany and the UK fingered for 100,000 of the 160,000 cases so far.
According to data gathered by PreciseSecurity.com, the Netherlands has reported the highest number of data breaches, on 40,647, Germany is second with 37,636, followed by the UK with 22,181.
The figures are based on the DLA Piper GDPR Data Breach Survey 2020, which shows a grand total of 160,000 breaches across the 26 EU member states, and the recently departed UK.
France’s data protection regulator, CNIL, still holds the record for the largest fine imposed under GDPR – €50m (£44m) – which was issued to Google after it failed to provide enough information to users about its data consent policies.
The second largest GDPR data breach penalty of €27.8m (£23m) was imposed on Italian telecommunications operator TIM SpA last month. The Italian Data Protection Authority, Garante, received complaints that the telecoms company had made promotional phone calls without consent.
However, these fines could be blown out of the water if – and when – the legal battle being waged by British Airways and Marriott International over fines proposed by the UK Information Commissioner’s Office is ever settled.
The fines – totalling £282m – were the subject of an 11th-hour agreement to extend the “regulatory process” for another three months in January.
Both BA and Marriott have strenuously denied any wrong-doing. In July last year, BA said it planned to make representations to the ICO and “take all appropriate steps to defend the airline’s position vigorously”. Meanwhile Marriott confirmed its intent to “vigorously defend its position”, although according to its results – published just weeks after the notice of intent was issued – the hotel giant has set aside $126m (£104m) just in case.
2019 Review of the Year: Why it’s crunch time for GDPR
Marketers waking up to the benefits of GDPR, says DMA
Google hit for €50m as French issue first GDPR fine
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown