View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Big GDPR fines might not translate into greater privacy across Europe

High penalties on businesses may not be enough to achieve robust privacy across Europe, as greater clarity on all-encompassing data transfer laws is critical.

By Afiq Fitri

Data protection authorities across Europe have collectively imposed fines of more than €1bn since January 2021 on businesses for infringements of the General Data Protection Rules (GDPR), according to the latest GDPR and data breach survey by law firm DLA Piper. Yet while these eye-watering numbers appear to be promising for the state of digital privacy across the continent, there are signs that businesses are beginning to buckle under the weight of onerous compliance responsibilities and an uncertain legal environment surrounding transatlantic data transfers.

The majority of this money stems from Luxembourg’s €746m penalty on Amazon in July last year, when the country’s National Commission for Data Protection claimed that the e-commerce giant’s targeted advertising failed to adhere with the bloc’s stringent GDPR. The Amazon penalty is the highest GDPR fine to date and represents more than the total of all GDPR fines meted out since 2018. Amazon is currently in the process of appealing the ruling and recently managed to stave off daily payments of €660,000 after a Luxembourg judge ruled that the data protection authority’s orders were not “sufficiently clear, precise and without uncertainty”, according to Bloomberg.

The threat of costly fines coupled with a significant increase in ransomware attacks since the beginning of the pandemic have also possibly served as an impetus for businesses to proactively declare data breaches to their national data protection authorities. Since late January 2021, there has been an 8% rise in the number of breach notifications submitted per day compared to the 2020 average, according to DLA Piper’s report. Data protection agencies in France and Poland saw the highest increase in breach notifications, while the United Kingdom’s also witnessed an uptick. 

At face value, these fines and increases in breach notifications appear to be encouraging for the state of digital privacy. However, the ongoing uncertainty over transatlantic data transfers has left businesses scrambling to achieve full compliance which may divert resources away from focusing on actual privacy risks, according to Ross McKean, Chair of the UK Data Protection and Security Group at DLA Piper. 

The crux of the issue lies in the “Schrems II” landmark ruling by the European Court of Justice in 2020 which nullified the Privacy Shield framework for transferring data between Europe and the United States, while allowing such transfers to happen under a procedure that ensures the rights of a data subject, also known as standard contractual clauses (SCCs).

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

These clauses include detailed assessments of the risk of EU citizens’ data being intercepted by law enforcement authorities in the US. Just last week, Austrian businesses that rely on Google Analytics were warned by the country’s Data Protection Authority that the use of the web traffic tool violates the GDPR as its citizens’ personal data could technically be passed on to American intelligence agencies. 

The all-encompassing nature of such laws and the additional compliance burden associated with international data transfers may have an effect on an interconnected digital economy right when businesses are beginning to recover from the pandemic. A joint survey conducted by Mazars and McCann Fitzgerald on the impact of GDPR on businesses in Ireland found that two-thirds of organisations believed that the use of SCCs could stop them from carrying out international data transfers.

"The Schrems II judgment has effectively shifted the problem and burden of a fundamental conflict of laws from the politicians and lawmakers to individual data exporters and importers," says Ewa Kurowska-Tober, global co-chair of DLA Piper's Data Protection & Security Group. Meeting the requirements of Schrems II is a challenge even for the most sophisticated and well-resourced organisations and is beyond the means of many small and medium-sized enterprises,” 

She adds: “What is really needed is a resolution of the underlying conflict of laws rather than imposing an unrealistic compliance burden onto business and another headwind to international trade as we emerge from the global pandemic." 

Homepage image by Valeria Mongelli/Bloomberg via Getty Images

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.