Back To Top

GDPR Violations in Europe

data ethics advisory council

GDPR Violations in Europe

A large gap in GDPR violations between EU countries and different industries

Overview.

What is GDPR?

The General Data Protection Regulation (GDPR) is the toughest data privacy and protection law in Europe. It  was adopted on April 14th, 2016 after passing European Parliament and became enforceable on May 25th, 2018. It is applicable on companies and organizations worldwide as long as they target data of citizens or residents of the European Union member states. It is composed of 99 Articles, each stating certain laws, principles or provisions about a particular data protection regulation. The GDPR also provides 173 Recitals of the regulation as a resource and  guideline for individuals and organizations who are involved in any data transfer. The GDPR’s understanding of data protection is very deep and it is proven by the 7 data protection principles which were highlighted in Article 5 of the GDPR:

1. Lawfulness, fairness and transparency

2. Purpose limitation

3. Data minimization

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality

7. Accountability

The GDPR is in fact an extension of the European Convention on Human Rights in 1950. The EU needed to adapt to technological change in human lives, hence, provide up-to-date human rights laws including the right for personal data privacy and protection of Personally Identifiable Information (PII) from exploitation and misuse. The individuals/organizations that are required to be compliant to the GDPR are mainly one of two types:
  • Data Controller: The employee or the organization that has the decision-making power when it comes to how and why data from the EU is being used.
  • Data Processor: The third party that is responsible for processing the data on behalf of the data controller.
Both parties have a set of special GDPR rules specific to them besides the general ones, which they also need to abide by. Otherwise, these two parties will face serious penalties from European data authorities.

GDPR Violations by volume.

The GDPR’s penalty fines can be very important, depending on the article corresponding to the violation committed by either the Data Controller or Data Processor. These penalty fines have a wide range from a few hundred Euros to 20 Million Euros (24.1 Million Dollars) or 4% of global revenue which in most cases is considered higher than 20 M€.

Fines of GDPR violations in the European Union witness serious peaks in 2021

Total Fines for GDPR Violations in 2021 (Million Euros)

You may hover over the chart data points for more details.

[visualizer id=”10347″ lazy=”no” class=””]

The total amount of fines paid by GDPR violators in European Union member states ranges from 0 to 10.4 Million € in the first 7 months of 2021. The fines reached their maximum of 10.4 M€ on January 8th, 2021 where Articles 5 and 6 of the GDPR were violated both in one day by a single organization. The violation was commited by an electronics retail company in Germany that had video-monitored its employees for more than 2 years without having sufficient legal biasis for this personal data processing. The data protection law violation was made in the name of warehouse security and theft prevention.
The total fines exceed 1 Million Euros in the months of January, March, May and June of 2021. Each of these months showcases at least 2 peaks in GDPR fines in the EU which demonstrates the gravity of the crimes discovered in 2021.

Could the digitalization of the world of business during the pandemic have made a contribution in the rise of these serious GDPR violation? Which EU countries are behind these Data Controllers? And which industries are the most negligent of GDPR data privacy and protection laws?

GDPR Violations by type.

More than 5 unique types of GDPR Violations were detected in 2020 & 2021

The General Data Protection Regulation developed 99 precise articles to adress various data privacy and protection crimes. In the years 2020 and 2021, more than 5 GDPR violation types were distinguished in order to classify each GDPR law breaking activity and make them understandable for EU citizens and residents who are not very familiar with the GDPR.

Percentages of GDPR Fines by Violation Type (2020-2021)

You may hover over the bar chart for more details.

[visualizer id=”10611″ lazy=”no” class=””]

Almost half of the violations in the specified timeframe were merely a result of insufficient legal basis for data processing, including some of the most serious GDPR law violations in the EU. The data processing refers to but is not limited to collecting data, manipulating data and transfering it without legal consent (with or without commerical purposes).
26.4% of the detected violations are due to insufficient technical and organisational measures to ensure information security which in Article 32 of the GDPR mainly consists on making sure data controllers and processors encrypt personal data, ensure confidentiality and the resilience of processing systems and provide regular evaluation tests for technical and orgnizational security measures. This category’s average amount of fine is about 524,000 €.
On the other hand, only 4% of GDPR law breaches correspond to insufficient fulfilment of information obligations with only an average fine of almost 289,000 €. This could be expained by the simplicity of this particular violation because most of the cases it only occurs when there is miscommunicated information between the Data Controller/Processor and the PII provider. An example would be displaying an ambigious “Terms of Services” agreement or an unclear “Data Privacy” disclaimer and acting on them to collect private data without full and concrete consent of the client/user.
Meanwhile, less than 1% of the violations resulted from various not so frequent types such as insufficient cooperation with supervisory authority, insufficient data processing agreement, insufficient fulfilment of data breach notification obligations and lack of appointment of data protection officer.
These types may seem unnecessary to some organizations. This leads to disregarding the importance that comes with these detailed data security measures and protection procedures. However, the penalty fines to one of these rare violations ranged from 500 € to 475,000 € in the years 2020 and 2021.

GDPR FINES by Country.

Ranking European Union countries of fined organizations from 2020 to Mid 2021

The General Data Protection Regulation has proven to be severe and taken seriously by the European Union, Data Controllers and Data Processors since spring 2018. But, circumstances change overtime such as the unprecedented global pandemic in the start of 2020. Around the same time, many organizations felt threatened by a possible economic recession and became utterly dependent on the digitalization of their activities, especially given the Coronavirus restrictions in Europe and work-from-home policies to prevent the spread of the virus. Subsequently, these organizations relied on data on many levels (clientele, personnel, etc.) and took multiple decisions that affected the data but also violated at least one of the 99 GDPR Articles. This lead the Data Controllers/Processors‘ short term solutions to long term legal and financial problems.
The cumulative volume of GDPR fines from 2020 to Mid 2021 varies by EU country as follows:

Top 10 EU Countries by Cumulative GDPR Fines (2020-2021)

You may pause the progress bar chart and change ranking from highest to lowest.
Spain has proven to be the only EU country remaining in the Top 5 ranks of cumulative GDPR fines for 19 months since the start of 2020. This translates to a series of GDPR violations with penalties reaching a total over 43 Million Euros. Meanwhile, Italy has not left the #1 rank since January 15th, 2020. This escalation of GDPR violations’ fines is alarming given that the Italian data authorities already have an Italian Data Protection Code which has been progressively reformed since the GDPR’s additions in data protection laws and its derogation of some others.
Austria, however, shows a good example of “Data Discipline” for the rest of the EU member countries as the only one where the total GDPR fines never exceeded 850 € since 2020. Austria remains the lowest fined country for GDPR law breaking throughout the timeframe except on October 19th, 2020 when two private individuals violated articles 5,6 and 9 of the GDPR because of insufficient legal basis for data processing, both from health care and private sector. This demonstrates that Man can be individually responsible for the crimes of an entire organization –public or private– and can influence its legal status as well as the image of the country of operations in terms of data ethics. Fortunately, the Austrian Data Protection Authority (DSB) was one of the numerous local data protection laws in Austia that had enforced strict regulations for the sake of personal data privacy and protection from unethical processing. Till date, Austria is the least fined EU Country for GDPR violations.

GDPR FINES by Industry.

Percentages of Total GDPR Fines by Industry (2020-2021)

You may hover over the column chart for more details.

[visualizer id=”10489″ lazy=”no” class=””]

The chart indicates that the General Data Protection Regulation has not made the same impact on actions from different industries. The total fines percentages of Data controllers and processors from Media, Telecommunication & Broadcasting as well as Human Resources & Employment indicate a certain level of negligence and repetitive unlawful behavior towards personal data of EU citizens and residents, respectively around 37% and 21%. Together, these two industries represent more than half of penalized individuals / organizations because of their constant dependency on PII for business growth and lucrative purposes.
On the other hand, Individuals & Private Associatons have shown more precaution when dealing with data while respecting the GDPR articles, particularly the ones with the highest amounts of fines. A minority of 0.1% of total fines are mainly from industries such as Real Estate.

Review.

The European Union has made a big step forward when enforcing the GDPR on EU member countries. Not only has it started raising awareness about the importance of technological inclusion in human rights laws but it also started fighting against attackers on EU data and penalizing them in order to make an example. However, this does not cover the fact that many organizations are still trying to outsmart the GDPR by violating articles with legitimate excuses such as staff control, business operations, misunderstanding of data privacy policies, etc. Most of these violations fall under insufficient legal basis for data processing which in the EU has increased the total amount of fines in 2020 & 2021. The cumulative amount of GDPR fines proved that there is a large gap between EU countries in terms of data ethics and legal data collection and processing methods. The largest gap from January 2020 until July 2021 remains between Austria and Italy. The fastest way to reduce this gap is by having Austrian and Italian local data authorities cooperate into making parallel local laws and mutual sensibilization compaigns for Data Controllers and Processors. The purpose would be reducing the GDPR penalties’ volume during Covid-19 crisis where data became the most valuable asset. Some individuals / organizations misinterpret the GDPR as an ethical choice. But, if everyone undermines data protection laws, nobody will be safe again.

Data.

  • Source: GDPR Enforcement Tracker
  • URL: https://www.enforcementtracker.com/
  • Publisher: CMS.Law (data protection law firm)
  • Retrieved: July 27th, 2021.
  • Last Update: July 31st, 2021. (It’s weekly updated by the CMS)
  • Description: The CMS.Law GDPR Enforcement Tracker is an overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR). The aim is to keep the list as up-to-date as possible.

Author.

Sarra Hannachi is a Master of Science Student in Business Analytics at Tunis Business School, Tunisia and a Data Storytelling Intern at DataEthics4All. She’s passionate about statistics and data science and about organizations that apply their data practices ethically and for the greater good. Sarra is also the leader of a Data Science Club “DSC TBS” in her campus for business students looking to enhance their skills in Data Science & AI and to enrich their knowledge of these fields.

Contact: LinkedIn