GDPR fines and prospects for the Swiss Data Protection Act

Let's take a look at the interesting statistics on the GDPR and try to predict what we can expect from the DPA.

The General Data Protection Regulation came into force on 25 May 2018, more than 5 years ago. It purposed to align data privacy laws across the European Union. The regulation set a high bar for the protection of users' personal data. Despite the early announcement, there were a lot of companies that didn’t manage to prepare their information systems on time. It worth nothing to mention that the fines for the GDPR infringement can be up to EUR 20 million, or up to 4 % of the company’s annual turnover.

The number of fines

From the entry into force of the regulation until August 2023, 1,801 fines have been imposed, totalling more than EUR 4 billion. The first 14 months of the operation of the GDPR were fairly quiet in terms of the number and amount of fines (apart from the case of Google in January 2019, when it was fined with EUR 50 million for lack of transparency). The chart below illustrates the number of fines per month.

For the last year (from September 2022 to August 2023) the average number of fines per month was 43, which is not really big taking into account the fact that there are 27 countries in the EU. On average, there are 1.5 fines per country per month.

Statistics on the size of fines

The first leading company in terms of the amount of fines was Google in 2021 with EUR 200 million. Google quickly learned its lesson and hasn't been penalised much since 2021. However, the undisputed leader in terms of the amount of fines is the current Meta (which was fined for the first time as Facebook) with more than EUR 2.3 billion. Remarkably, unlike Google, Meta continues to be fined every year, and every year the fines increase horribly.

We tried to clear monthly data on fines by eliminating outstanding cases of more than EUR 5 million, and in the result it appears that the average fine is around EUR 91 thousand for the entire period since 2018, or EUR 88 thousand for the last 12 months.

The chart below illustrates the average fine per case (excluding cases that exceed EUR 5 million).

Leaderboard

The leading country in terms of the amount of fines is Ireland (of course, because of Meta and Google). But, more surprisingly, Luxembourg is in second place.

In terms of the number of fines, the absolute leader is Spain with 733 fines out of a total of 1801.

The most common violations (in terms of number and amount of fines) are “Non-compliance with general data processing principles” and “Insufficient legal basis for data processing”. With a significant lag in third place is “Insufficient technical and organizational measures to ensure information security”.

What about the Swiss Data Protection Act?

If we argue by analogy with the GDPR, then the whole system will need some time to adjust new processes. This doesn’t mean that you can relax and not worry about your company’s cybersecurity and privacy posture. If your company has not yet completed the adaptation to the new DPA, we strongly recommend that you complete it as soon as possible.

Since, according to the DPA, liability is primarily focused on natural persons, and the maximum fine is CHF 250 thousand, most likely, we should not expect the same high fines as under the GDPR. And given that the DPA's requirements for the processing of personal data are generally somewhat more moderate than those of the GDPR, and that fines only apply to violations resulting from intentional acts, and are in most cases only imposed upon the filing of a complaint, we can hope that these requirements will lead to fewer criminal cases. At least at first.

After a "trial period", the system will develop and refine the processes of investigation and prosecution under the new act. Then we can expect an increase in the number of cases and the amount of fines.

Therefore, taking data protection seriously and putting into place all necessary measures are so crucial.

If you have any questions about how to adapt your company's IT to the new regulation, do not hesitate to ask us via the contact form on the website. We are here to help!

Sources:

https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/

https://www.enforcementtracker.com/?insights

https://gdpr-info.eu/

https://www.mondaq.com/privacy-protection/1292208/new-swiss-data-protection-act--the-most-important-changes-for-companies

Name	Purpose	Lifetime	Type	Provider
CookieConsent	Saves your consent to using cookies.	1 year	HTML	Website
fe_typo_user	Assigns your browser to a session on the server.	session	HTTP	Website
be_typo_user	missing translation: trackingobject.be_typo_user.desc	session	HTTP	Website
PHPSESSID	missing translation: trackingobject.PHPSESSID.desc	session	HTTP	Website

Name	Purpose	Lifetime	Type	Provider
_ga	Used to distinguish users.	2 years	HTML	Google
_gat	Used to throttle request rate.	1 day	HTML	Google
_gid	Used to distinguish users.	1 day	HTML	Google
_ga_--container-id--	Persists session state.	2 years	HTML	Google
_gac_--property-id--	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.	3 months	HTML	Google

Name	Purpose	Lifetime	Type	Provider
GoogleMaps	Is used to connect to Google Maps and to display those maps.	none	Connection	Google
YouTube	Is used to connect to YouTube and display to videos.	none	Connection	YouTube