Fines levied under the General Data Protection Regulation (GDPR) jumped almost 40% in the past 12 months as EU regulators stepped up enforcement efforts, Financial Times reported on Tuesday, January 19.
Since starting in 2018, GDPR regulators imposed €272 million (US$330.3 million) in fines, with €159 million (US$193.1 million) in penalties levied just in the past dozen months, DLA Piper research showed, per FT. More than 50% of those penalties were levied by Italy and Germany.
“Regulators have been testing the limits of their powers this year, issuing fines for a wide variety of infringements of Europe’s tough data protection laws,” Ewa Kurowska-Tober, global co-chair of DLA Piper’s Data Protection & Security Group, told FT.
The biggest fine so far — €50 million (US$60.7 million) — was levied against Google in 2019 by CNIL, the French data protection authority. The watchdog stated that the search giant wasn’t transparent about how it collects data and doesn’t have a legal reason for personalizing advertisements.
“It is positive to see that the number and size of the fines imposed under the GDPR continue to grow,” Estelle Massé, senior policy analyst at Access Now, told FT.
“Moving forward, DPAs should not only look at fines but also use all other punitive sanctions available under the GDPR, such as the possibility to suspend data transfers or to request data acquired unlawfully to be deleted,” she said.
Industry verticals retail, hospitality, telecom, and oil have been hit with the most GDPR penalties. Germany and the Netherlands reported the most data breaches, with 121,165 notifications, up almost 20% compared to the same period in 2019.
“[Regulators] certainly haven’t had things all their own way, with some notable successful appeals and large reductions in proposed fines,” Kurowska-Tober told FT.
Ross McKean, chair of DLA Piper’s UK Data Protection & Security Group, told FT that due to the pandemic, regulators have lowered fines if a company was experiencing financial hardship.
A GDPR report issued in June by the European Commission indicated that although GDPR is considered a success, there is still more work to be done, especially concerning small and mid-sized businesses. The report also showed that there is still a degree of fragmentation since member countries have different implementation and enforcement rules.
Want more news? Subscribe to CPI’s free daily newsletter for more headlines and updates on antitrust developments around the world.
Featured News
CMA Investigates Aviva’s £3.6B Acquisition of Direct Line Group
May 14, 2025 by
CPI
Google Urges Texas Judge to Disregard Virginia Antitrust Ruling
May 14, 2025 by
CPI
Anthropic Ordered to Respond After AI Allegedly Fabricates Citation in Legal Filing
May 14, 2025 by
CPI
Rumble Adds David Boies to Legal Team in $2 Billion Antitrust Battle with Google
May 14, 2025 by
CPI
China Summons Delivery Giants Over Unfair Competition Concerns
May 13, 2025 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – Healthcare Antitrust
May 14, 2025 by
CPI
Healthcare & Antitrust: What to Expect in the New Trump Administration
May 14, 2025 by
Nana Wilberforce, John W O'Toole & Sarah Pugh
Patent Gaming and Disparagement: Commission Fines Teva For Improperly Protecting Its Blockbuster Medicine
May 14, 2025 by
Blaž Višnar, Boris Andrejaš, Apostolos Baltzopoulos, Rieke Kaup, Laura Nistor & Gianluca Vassallo
Strategic Alliances in the Pharma Sector: An EU Competition Law Perspective
May 14, 2025 by
Christian Ritz & Benedikt Weiss
Monopsony Power in the Hospital Labor Market
May 14, 2025 by
Kevin E. Pflum & Christian Salas