Subscribe

DLA Piper counts €2.9bn GDPR fines in 2022

Cyber Security
/ 17th January 2023 /
Nick Mulcahy

European data regulators issued €2.9bn in GDPR fines in 2022 with over €1bn issued by Ireland’s Data Protection Commission.

Global law firm DLA Piper’s GDPR and Data Breach Survey discloses that last year’s highest fine of €405m was imposed by the Data Protection Commissioner against Meta Platforms Ireland relating to Instagram for various alleged failures to protect children’s personal data.

Luxembourg remains at the top of the country league table for the highest GDPR fine imposed since 25 May 2018: a fine of €746m, with Ireland taking 2nd, 3rd, 4th, 5th and 6th place in the country fines league table after a very busy year for the DPC.

According to DLA Piper, the average number of notified data breaches per day fell slightly to 300 per day from 328 the year before.

The law firm believes organisations might be becoming warier of notifying breaches for fear of investigations, fines and compensation claims.

In Association with

Several of the largest fines imposed against Meta in 2022 by the DPC related to Facebook and Instagram’s behavioural profiling of users, and whether the lawful basis of ‘contract necessity’ can be used to legitimise the mass harvesting of personal data.

While the Irish DPC originally concluded that this was possible, the European Data Protection Board disagreed.

The DLA Piper report observes: “The resulting fines raise serious questions about the grand bargain struck between consumers and service providers, and how ‘free’ online services will be funded going forward. Given what is at stake, DLA Piper expects these decisions to be appealed, sparking years of subsequent litigation.”

While personal data issues around advertising and social media have dominated headlines, there is a growing focus on Artificial Intelligence (AI), and the role of personal data used to train AI, according to the law firm.

There were multiple investigations in 2022 into facial recognition company Clearview AI following complaints by digital rights organisations, including Max Schrems’s organisation My Privacy is None of your Business (NOYB), with several resulting fines issued.

As AI and machine learning platforms become ubiquitous, the survey predicts more regulatory investigations and enforcement for the year ahead with a focus on both providers and users of AI. 

DLA Piper partner John Magee commented: “It is clear from activity throughout the year that the GDPR’s consistency mechanism, which was put in place to ensure that EU data protection law is enforced uniformly across all member states, has resulted in a tougher approach being taken by the DPC.

GDPR fines
DLA Piper
DLA Piper believes organisations might be becoming warier of notifying breaches for fear of investigations, fines and compensation claims.

“While most of the larger headline-grabbing fines have been levied against social media companies, the DPC is increasingly looking at organisations from all sectors so businesses across the board would be well advised to get their house in order to avoid sanctions.”

“With data protection enforcement on the rise, it is probably no coincidence that organisations are increasingly cautious around when and how they report data breaches to regulators. 

“The fear of investigations, fines and compensation claims is likely driving what is a small but significant reduction in breach reporting numbers.”

The DLA Piper survey covers all 27 member states of the European Union, plus the UK, Norway, Iceland and Liechtenstein. The firm said that it is possible that more fines have been issued and not published.

Sign up to The Business Plus Panel to help shape the business decisions of tomorrow and win vouchers for your opinions! 
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram