The General Data Protection Regulation came into force on 25 May 2018, more than 5 years ago. It purposed to align data privacy laws across the European Union. The regulation set a high bar for the protection of users' personal data. Despite the early announcement, there were a lot of companies that didn’t manage to prepare their information systems on time. It worth nothing to mention that the fines for the GDPR infringement can be up to EUR 20 million, or up to 4 % of the company’s annual turnover.
The number of fines
From the entry into force of the regulation until August 2023, 1,801 fines have been imposed, totalling more than EUR 4 billion. The first 14 months of the operation of the GDPR were fairly quiet in terms of the number and amount of fines (apart from the case of Google in January 2019, when it was fined with EUR 50 million for lack of transparency). The chart below illustrates the number of fines per month.
For the last year (from September 2022 to August 2023) the average number of fines per month was 43, which is not really big taking into account the fact that there are 27 countries in the EU. On average, there are 1.5 fines per country per month.
Statistics on the size of fines
The first leading company in terms of the amount of fines was Google in 2021 with EUR 200 million. Google quickly learned its lesson and hasn't been penalised much since 2021. However, the undisputed leader in terms of the amount of fines is the current Meta (which was fined for the first time as Facebook) with more than EUR 2.3 billion. Remarkably, unlike Google, Meta continues to be fined every year, and every year the fines increase horribly.
We tried to clear monthly data on fines by eliminating outstanding cases of more than EUR 5 million, and in the result it appears that the average fine is around EUR 91 thousand for the entire period since 2018, or EUR 88 thousand for the last 12 months.
The chart below illustrates the average fine per case (excluding cases that exceed EUR 5 million).
The leading country in terms of the amount of fines is Ireland (of course, because of Meta and Google). But, more surprisingly, Luxembourg is in second place.
In terms of the number of fines, the absolute leader is Spain with 733 fines out of a total of 1801.
The most common violations (in terms of number and amount of fines) are “Non-compliance with general data processing principles” and “Insufficient legal basis for data processing”. With a significant lag in third place is “Insufficient technical and organizational measures to ensure information security”.
What about the Swiss Data Protection Act?
If we argue by analogy with the GDPR, then the whole system will need some time to adjust new processes. This doesn’t mean that you can relax and not worry about your company’s cybersecurity and privacy posture. If your company has not yet completed the adaptation to the new DPA, we strongly recommend that you complete it as soon as possible.
Since, according to the DPA, liability is primarily focused on natural persons, and the maximum fine is CHF 250 thousand, most likely, we should not expect the same high fines as under the GDPR. And given that the DPA's requirements for the processing of personal data are generally somewhat more moderate than those of the GDPR, and that fines only apply to violations resulting from intentional acts, and are in most cases only imposed upon the filing of a complaint, we can hope that these requirements will lead to fewer criminal cases. At least at first.
After a "trial period", the system will develop and refine the processes of investigation and prosecution under the new act. Then we can expect an increase in the number of cases and the amount of fines.
Therefore, taking data protection seriously and putting into place all necessary measures are so crucial.
If you have any questions about how to adapt your company's IT to the new regulation, do not hesitate to ask us via the contact form on the website. We are here to help!