GDPR fines hit over €1 billion in 2021

William S. | January 05, 2022

The European Union (EU) implemented the General Data Protection Regulation (GDPR) in 2018. The goal of this Act was to offer EU citizens more control over their data and privacy. Organizations that disobeyed the legislation were subjected to hefty fines, which keep increasing every year.

According to the data presented by the Atlas VPN team, GDPR fines hit over €1 billion, with 412 total penalties issued in 2021. In addition, companies like Amazon and WhatsApp had to pay off the most significant penalties for violating GDPR laws.

The statistics are based on the GDPR Enforcement Tracker database. CMS — International Law Firm tracked all of the numbers provided on the website.

In 2018, when the EU implemented the GDPR law, a total of €436k in fines were issued to businesses. Next year, in 2019, the sum of total fines increased significantly to €72 million. A GDPR penalty of €50 million was imposed on Google in 2019 for failing to provide transparent information on its consent policies.

In 2020, the total worth of fines administered reached over €171 million by the end of the year. However, 2021 blew out past years by a significant margin, accumulating more than €1 billion in GDPR fines, a 521% increase compared to last year. By looking at the quarter-by-quarter breakdown, we can see a better picture of how fines were distributed throughout the year.

While the first two quarters of 2021 accumulated about €50 million in penalties, the EU imposed the most significant fines in the third quarter. In July, Amazon Europe Core S.à.r.l incurred the highest fine of €746 million. Later on, in September, the EU fined WhatsApp Ireland Ltd. €225 million, the second biggest penalty in GDPR history.

In the fourth quarter of 2021, €16.7 million in fines were distributed across the EU.

GDPR fines comparison among countries

In some countries, updated privacy laws affected businesses significantly as they were fined appropriately under the new system. Data protection regulators in each country closely followed companies to ensure that they handled people’s privacy responsibly.

Spain has accumulated 351 fines, resulting in €36.7 million worth of penalties. While the average penalty rounds to about €105K, Spain has gathered the most fines by far, compared to any other country. Telecom companies, such as Vodafone Spain, have been penalized several times for violating GDPR laws through their marketing activities.

Italy stands second on the list with 101 fines, which required businesses to pay nearly €90 million. The average penalty in Italy is about €887K, which stands out as one of the largest compared to other countries. The Italian SA (data protector) fined TIM (telecommunications operator) €27.8 million in 2020 for breaching GDPR for data collection and processing.

Romania ranks third on the list as it has imposed a total of 68 sanctions that sum up to €721K in fines. Even though they have issued many penalties, the average falls short of €11K. Romanian authorities issued the most significant fine of €150k in 2019 to Raiffeisen Bank SA for breaching Article 42 of the GDPR.

Hungary and Norway follow fourth and fifth on the list with 45 and 40 sanctions since 2018, respectively. While Hungarian companies had to pay €828K in fines, Norwegian businesses racked up a total of nearly €9 million in mandated payments.

GDPR continues to successfully hold businesses accountable when they misuse people’s data or are ambiguous about their privacy policies. Companies became more responsible when handling their client information to avoid hefty fines from regulators, ultimately benefiting every EU citizen.

William S.

William S.

Cybersecurity Researcher and Publisher at Atlas VPN. Focused on revealing the latest cybersecurity trends around the world.



© 2024 Atlas VPN. All rights reserved.