Data acquired and calculated by Finbold indicates that as of Q1 2021, EU countries were fined €33.61 million in GDPR fines for various violations. Spain was the hardest-hit country, with regulators imposing €15.7 million in fines from a total of 34 cases. Germany ranks second with fines amounting to €10.7 million from just three cases. Interestingly, the two countries accounted for 78.53% of the total fines. Elsewhere, January recorded the highest number of fines at €17.5 million. The figure dropped by a massive 90.28% in February to €1.7 million. However, the fines sharply rose to €14.29 million as of March.
Why European GDPR fines are high
The significant amount of the GDPR fines highlights the increasing ability by European regulators to use their enforcement authority in implementing the law that came into use less than three years ago. The imposed high fines point to improved ability to detect instances of personal data violation. Also, the spotting of violation cases has been improved since the law grants more control to consumers who are the most affected. The high enforcement levels are further highlighted by the €306.3 million fines imposed in 2020 alone, according to the Finbold.com GDPR Fines Report 2020. Last year, France topped the fines at €138.3 million, while Spain accounted for the highest cases at 76. Generally, the hefty penalties are helping businesses and organizations put data protection in front of policymakers in return, providing a blueprint for the rest of the world. Notably, the fines are high considering that the GDPR law is still in its infancy stages. Organizations still incur fines considering there has been an increased awareness in managing consumer data. In coming up with fines, regulators look at the nature, gravity, duration, and character of the infringement. Some authorities may also consider the types of personal data affected, any past violation, and level of cooperation. For example, Spain accounts for the highest fines led by Vodafone, which was fined a significant amount over repeated violations. It is essential to highlight that the fines could be higher considering that not all member states avail full details of data breaches. Therefore, it is not necessarily a complete picture of the situation regarding GDPR enforcement. Worth noting is that the imposed fines are not necessarily paid as required by regulators. Some companies are known to launch appeals that usually lead to either scraping off the fines or reducing them. Furthermore, with most organizations and businesses still relishing the economic effects of the coronavirus pandemic, some fines might be reduced. The regulators set the pace with a reduction of the €205 million fine imposed on British Airways due to the adverse effects of the pandemic on the airline industry.
Alternative punitive measures for GDPR violations
The continued rollout of fines for data breaches is a welcomed idea to hold businesses and organizations accountable for managing user data. However, critics argue that instead of fines, authorities should consider other punitive measures like suspending data transfers or directing all data acquired unlawfully to be deleted. However, in stopping the punitive measures, organizations have a crucial role in either monitoring new fines and decisions behind the fines. In general, there is a need to uphold best practices like having information governance programs that do not promote unnecessary collection or retention of personal data.