GDPR fines nearly hit 300 million euros in three years
The General Data Protection Regulation (GDPR) was implemented in the EU three years ago on May 25th. This legislation aimed to give the residents of the EU more control over their data and privacy. Organizations that violated this regulation were fined appropriately.
According to the recent Atlas VPN team findings, the cumulative sum of the GDPR fines imposed on the EU countries over the past three years has reached €283,673,083. Since May 2018 the European Union has issued a total of 648 penalties against organizations violating the data protection law.
The data is based on GDPR Enforcement Tracker statistics. CMS — International Law Firm tracked all of the numbers provided on the website.
The biggest GDPR fine so far was issued in January 2019. The French regulator CNIL fined Google 50 million euros for failing to provide transparent information on its consent policies and the way it handles ad personalization. At this point, only 12 penalties have been issued for the violation of GDPR since its implementation.
After that, another massive increase in penalties happened between October 2019 and January 2020. In this period, two Italian companies, TIM (telecommunications operator) and Eni Gas e Luce (energy industry), were fined €27,800,000 and €8,500,000 each. Thus, since the start of the GDPR, organizations have been fined a total of €100,711,612 due to 167 violations.
In 2020, from July to October, there was a significant increase in the sum of fines. It was because 3 out of 5 most enormous penalties of all time were issued in October. One of the fines for €35,258,708 was imposed on Germany, and two other violations combining for a total of €42,496,000 were given to the United Kingdom.
In 2022 H1, GDPR fines accumulated to nearly €100 million. However, specialists mention that strict regulations still have a long way to go.
GDPR violations in specific countries
Some organizations could not keep up with the updated privacy laws or expected to go unnoticed. However, privacy regulators in each country were closely monitoring companies to make sure that people’s data is dealt with responsibly.
Italy has assessed the most significant sum of fines in the past three years — €76,271,601. Besides previously mentioned incidents, two telecom giants in Italy - Wind Tre and Vodafone Italia were fined for an insufficient legal basis and non-compliance with general data processing principles. So far, Italy has been penalized a total of 77 times.
France takes second place with €54,661,300 in fines. The largest part of the amount was made off of the previously mentioned Google fine. However, other than that, France was able to ensure GDPR compliance reasonably well. Only 13 other violations were recorded through three years.
In third place sits Germany, where GDPR violations have cost companies €49,186,833. One of the most significant fines in Germany was recorded just this year, in January, when laptop retailer notebooksbilliger.de was fined €10,400,000 for unlawful video surveillance of staff and customers.
The United Kingdom ranks fourth with €44,221,000 in fines. Only through 4 violations of GDPR law was the sum accumulated. Even though the EU GDPR no longer applies in the UK after Brexit, they have a new regime known as the ‘UK GDPR,’ which all organizations need to follow accordingly.
Even though Spain has slightly less in the total sum of fines — €29,521,410, they have had the most violations. More than one-third of all GDPR penalties (230), were imposed upon Spain.
As data shows, the GDPR was a success in keeping organizations accountable for misusing people’s data or being unclear with their privacy policies. European citizens have benefited from this regulation as companies have become more transparent regarding privacy. GDPR will only continue to improve in the coming years as more experience comes.