Authorities across Europe issued huge amounts in GDPR fines during 2021. Luxembourg and Ireland took up the top spots, replacing Italy and Germany. Credit: Getty Images European data protection authorities have issued fines of €1.1 billion ($1.2 billion) under the General Data Protection Regulation (GDPR) since 28 January 2021, according to the annual GDPR Fines and Data Breach Survey by international law firm DLA Piper.The survey—which spanned 27 European Union members, the European Economic Association members Norway, Iceland, and Liechtenstein, and now-former EU member the UK—found there was a sevenfold increase in fines in 2021.The year recorded all-time high fines imposed by Luxembourg and Ireland, which replaced Italy and Germany at the top two spots in the aggregate fines tally. Luxembourg and Ireland issued a total of €746 million ($843 million) and €226 million ($255 million) in fines, respectively, pushing Italy down to the third place with €79 million ($89 million) in fines. With this, the Luxembourg National Commission for Data Protection (CNDP) became the highest issuer of a single GDPR fine to date, imposing a €746 million fine on US-based online retailer Amazon. This was 14 times higher than the previous highest single fine, €50 million ($57 million), imposed by France on Google in 2019. Schrems II judgment triggers the increase in GDPR finesThe nearly sevenfold increase in fines this year is being widely attributed to the stringent regulations directed under the European Court of Justice’s Schrems II judgment. “Schrems II judgment and its profound implications for data transfers have established itself as the top data protection compliance challenge for many organizations caught by GDPR,” said Ross McKean, chair of the UK Data Protection and Security Group.The Schrems II judgment invalidated the European Commission’s Privacy Shield Decision affecting data transfer between EU and US businesses on account of invasive US surveillance programs. The privacy shield framework was meant to provide for the lawful transfer of personal data from the EU to the US while adhering to certain data protection safeguards. The personal data transfer is now possible only through standard contract clauses stipulating data-protection levels equivalent to that of GDPR and the EU Charter of Fundamental Rights. The Schrems II judgment has effectively shifted the problem and burden of a fundamental conflict of laws from the politicians and lawmakers to individual data exporters and importers, said Ewa Kurowska-Tober, global cochair of DLA Piper’s Data Protection and Security Group. “What is really needed is a resolution of the underlying conflict of laws rather than imposing an unrealistic compliance burden onto businesses and is yet another headwind to international trade just as we emerge from the global pandemic,” she said.Reported breaches on the rise across EuropeThe DLA Piper survey also noted a trend of increasing numbers of daily data breach notifications in Europe for the third year running.More than 130,000 personal data breaches have been notified to regulators since 28 January 2021, with an average of 356 breach notifications per day. This is an 8% jump on 2020’s 331 notifications a day.The Netherlands reported an average of 150.7 breaches per day, the highest number per 100,000 people among the surveyed countries. Greece, Czechia, and Croatia have had the fewest reported breaches per capita since 2018. Related content brandpost Sponsored by Cyber NewsWire Hunters announces full adoption of OCSF and introduces OCSF-native search By Cyber NewsWire - Paid Press Release May 07, 2024 5 mins Cyberattacks Security news Administrator of ransomware operation LockBit named, charged, has assets frozen A Russian national alleged to have been the administrator of the notorious and prolific LockBit ransomware provider faces international charges. A $10-million reward for the suspect’s arrest has been offered. By Lucian Constantin May 07, 2024 3 mins Advanced Persistent Threats Hacker Groups Ransomware news US deploys commerce and communications against cyber threats, Blinken says The US government is moving to address the challenges of quantum computing, cloud strategies, and generative AI, Anthony Blinken said in a speech that was light on specifics. By Evan Schuman May 07, 2024 4 mins Cyberattacks Government Threat and Vulnerability Management news Change Healthcare went without cyber insurance before debilitating ransomware attack In doing so, Change exposed itself not just to greater financial risk, but reputational damage too. By John Leyden May 07, 2024 5 mins Data Breach Ransomware PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe