European data regulators issued a record €2.92 billion in fines last year, a 168 per cent increase from 2021.
That’s according to the latest GDPR and Data Breach survey from international law firm DLA Piper, which covers all 27 Member States of the European Union, plus the UK, Norway, Iceland, and Liechtenstein.
This year’s biggest fine of €405 million was imposed by the Irish Data Protection Commissioner (DPC) against Meta Platforms Ireland Limited relating to Instagram for alleged failures to protect children’s personal data.
The Irish DPC also fined Meta €265 million for failing to comply with the GDPR obligation for Data Protection by Design and Default. Both fines are currently under appeal.
Despite the overall increase in fines since January 28, 2022, the fine of €746 million that Luxembourg authorities levied against Amazon last year remains the biggest to be issued by an EU-based data regulator to date (though the retail giant is still believed to be appealing).
The report also revealed a notable increase in focus by supervisory authorities on the use of artificial intelligence (AI), while the volume of data breaches reported to regulators decreased slightly against the previous year’s total.
GDPR fines continue to rise as authorities’ confidence grows
The latest edition of the GDPR and Data Breach survey showed a significant year-on-year increase in the aggregate value of GDPR fines.
“The increase demonstrates supervisory authorities’ growing confidence and willingness to impose high fines for breaches of the GDPR, particularly against large technology vendors, and has also been influenced by the highly inflationary impact of the EDPB,” the report read.
“Local data protection authorities will no doubt have been watching the EDPB decisions under the GDPR consistency mechanism with interest and will know that the EDPB is yet to reduce any fine proposed by a lead supervisory authority. All EDPB decisions regarding fines have resulted in a significant increase in the final fine imposed,” it added.
The survey also highlighted the impacts of some notable decisions made by data protection supervisory authorities this year considering the application of the Schrems II and Chapter V GDPR requirements to specific international transfers of personal data.
Ross McKean, chair of the UK Data Protection and Cybersecurity Group, stated: “The spate of Irish DPC fines targeting the behavioural advertising practices of social media platforms this year have the potential to be every bit as profound for the future of the “grand bargain” at the heart of today’s ‘free’ internet.
Given what is at stake, we can expect years of appeals and litigation. The law is very far from settled on these issues.”
Ireland (€1,303,514,500), Luxembourg (€746,345,675), and France (€428,238,300) topped the list of the total value of GDPR fines imposed from May 25, 2018, to date, with the UK (€59,242,800) in seventh.
Data regulators increase focus on use of AI
Data protection regulators are increasing their focus on use of AI and the role personal data plays in training AI technology, the report stated.
“AI is impacting every sector, from process automation, machine learning, chat bots, facial recognition through to virtual reality and beyond. Personal data is often the fuel that powers AI used by organisations. It tailors search parameters, spots behavioural trends, and predicts future possible outcomes,” the report read.
As many AI systems use personal data, regulation of these systems often falls within the scope of GDPR. “Several data protection supervisory authorities have issued guidance on the use of personal data for AI this year,” the report added.
In May 2022, the UK Information Commissioner’s Office (ICO) fined facial recognition company Clearview AI Inc £7,552,800 for breaking data protection laws over its use of images of people’s faces and data from publicly available information.
The ICO claimed the firm collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms all over the world to create an online database but failed to inform people that their images were being collected or used in this way.