Looking back at EU data protection in 2020

On January 28th we celebrated Data protection Day. So, I think, this is right moment to look back at previous year, how it changed, and also try to predict future developments. All statistics comes from DLA Piper GDPR fines and data breach survey: January 2021.

Regulators have been more active with fines

But let’s look deeper what where companies fined for, which were most active DPAs and highest fines for GDPR non-compliance.

What were the biggest GDPR fines in 2021?

The second largest fine is EUR 35.26 million imposed by the Hamburg data protection supervisory authority on a global retailer H&M for failing to have a sufficient legal basis for processing.

Third — Italy’s data protection supervisory authority fined a telecommunications’ operator TIM SpA EUR 27.8 million for a number of breaches of GDPR, including breaches relating to transparency obligations, failing to have a sufficient legal basis for processing personal data, and inadequate technical and organisational measures, and breach of the principle of privacy by design.

While biggest fines are impressive, in most cases they are far from maximum 4% of global turnover of companies.

What was the most common GDPR breaches in 2021?

Failure to comply with the transparency principle

Failure to demonstrate a lawful basis to process

Failure to implement appropriate security measures

Breach of the data minimisation and data retention principles

Regulators aren’t always right

UK’s ICO significantly decreased fines for Marriott International (from £99 million down to £18.4 million) and British Airways (down to £20 million from £183).

A German appeals court has slashed by 90% a General Data Protection Regulation fine levied by the nation’s federal privacy watchdog against 1&1 Telecom over call center data protection shortcomings.

Also Austrian supervisory authority’s headline EUR 18 million fine imposed on Austrian Post was overturned by the Austrian Federal Court in december.

Consumer organizations test their powers

British Airways is potentially facing the largest privacy class-action lawsuit in UK history over its mass customer data breach that affected 400,000 people, according to a law firm involved.

This year for sure will bring just increase in activities of consumer organisations which target not just companies for non-compliance but also supervisory authorities for lack of action.

Increase in reported data breaches

I think there are 2 possible reasons for such increase:

  1. Better awareness of companies regarding identification and reporting obligations. Companies get more educated both in importance to have proper tools to get alerted on incidents, and their obligations to report data breaches to authorities. Also, increased DPA activities regarding fines for failing with reporting obligations may play a role.
  2. Increased cyber-security risks. Last year was special for companies as most of them moved to remote work. Neither companies nor employees were ready for such shift. Work from home put data under increased risk as employees used their own (often unsecured) equipment for processing data or made data available to their household members. And, of course, cyber-criminals were more active than ever to use this new situation for their own gain.

Thus, I am of opinion that in 2021 we will see further rise in reported data breaches. For many companies there is still much of work to do to address risks created by remote work — both technologically as well as in training of employees.

Takedown of Privacy Shield

Brexit

New data protection guidance from authorities

Also, CJEU issued several notable decisions on data protection and e-privacy questions, deciding, for example, that:

In November European Commission released a draft set of new Standard Contractual Clauses (SCCs) that will replace long outdated existing ones.

The hard work on GDPR guidance will continue this year, too, of course. And there are some new decisions expected also from CJEU to shed a light problematic issues of GDPR application.

Conclusion

Originally published at https://atisgailis.com on February 7, 2021.

Tech lawyer, privacy expert and data protection officer.