Regulators in the U.K. have levied €114 million ($126 million) in fines for data violations since instituting new stronger privacy mandates in mid-2018, The Financial Times reported on Sunday (Jan. 19).
Law firm DLA Piper distributed a report indicating the disparity in fines among countries. France hit Google with a €50 million fine, the largest single violation against one firm. Conversely, the Netherlands, Britain and Germany had the most notifications regarding data breaches.
The General Data Protection Regulation (GDPR) is intended to protect personal information and imposes steep fines if data is exposed or provided without user consent.
The regulation is enforced by data protection divisions throughout the 28-member European Union. Ireland has the biggest responsibility as the head regulator for Silicon Valley big tech like Facebook.
Penalties, for now, are small compared to the billions levied in EU antitrust violations. That is expected to change as sanctions are probed and legal precedents set.
DLA Piper partner Ross McKean said that in principle, fines of 2 percent or even 4 percent of global annual sales can be levied. Bigger penalties will have to hold up in court, however.
“It’s going to take time — the regulators are going to be wary about going to 4 percent because they are going to get appealed,” McKean told Reuters. “And you lose credibility as a regulator if you’re blown up on appeal.”
To date, the biggest violation threat was against British Airways owner IAG due to a €183 million ($239 million) data breach affecting half a million people.
“The total amount of fines of 114 million euros imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement,” McKean told Bloomberg in a statement.
“We expect to see momentum build with more multi-million euro fines being imposed over the coming year as regulators ramp up their enforcement activity,” he added.
In May, about a year following the start of GDPR, a total of €56 million ($62 million) in fines were levied. Of the 200,000 investigations, 64,000 were upheld.