news & Things

600% Increase In GDPR Fines Issued During ‘21

24th Jan 2022

Schrems II is a thorn in the side of EU data transfers, as Google urges EU to ‘speed up’ finding a replacement for Privacy Shield.


The General Data Protection Regulation (GDPR) is hailed as the most consumer friendly privacy legislation and fines for breaching it have grown by nearly 600% last year to in excess of €1 billion.

Since the 28th of January 2021, data protection authorities in the EU (plus the UK, Norway, Iceland and Liechtenstein) have had to deliver a combined total of nearly €1.1 billion in fines, according to research from law firm DLA Piper. This is a sharp increase from just €158.5 million in 2020.

Compromised firms telling regulators about breaches rose more slowly, 356 breach notifications every day – which is an 8% increase. When judged on a per capita basis, the Netherlands topped the rankings.

Since coming into force in 2018, the GDPR has been forcing companies to declare their legal basis and reasoning for collecting users’ data; it stops them sending that data out to certain regions for processing and they must declare any data breach within 72 hours.

The fine for failure of compliance is as much as 4% of global annual turnover, or €20 million, depending on which is higher.

The highest individual fine last year was given to Amazon, as Luxembourg handed out a €746 million penalty to the e-commerce giant, followed by a €225 million penalty against WhatsApp given by Ireland, and €50 million against Google in December 2020 handed out by France. Luxembourg and Ireland also topped the list of countries issuing the highest aggregate fines, followed by Italy.

The Schrems II judgement in July 2020 continues to be the top data protection compliance challenge for many organisations caught by GDPR, despite the growth in fines, according to DLA Piper. The transfer of personal data outside the EU and UK has strict limitations imposed by both Schrems II and Article V of the GDPR, with Schrems increasing the compliance burden on firms with the Schrems judgement requiring detailed risk assessments.

Google has called on the EU to speed up the process of finding a suitable replacement for Privacy Shield, after Schrems II invalidated it, leaving companies covered with standard contractual clauses (SCCs) in place. Cloud companies like Microsoft and AWS can use SCCs as a legal mechanism for data transfer but other firms cannot, such as Meta, and after Austria’s data protection regulator ruled that Google Analytics breaks GDPR its left with the EU to work to find a replacement.

“The threat of suspension of data transfers is potentially much more damaging and costly than the threat of fines and compensation claims. The focus on transfers and the significant work required to achieve compliance inevitably means that organisations have less time, money and resource to focus on other privacy risks”

Ross McKean, Chair of the UK Data Protection and Security Group at DLA Piper

More news & Things

More news & Things

Chloe Smith in NonProfit

Initiatives Underway to Improve Diversity In Environmental Workforce In The UK

Steps are being taken in the UK’s sustainability and environment professions to address the lack of diversity, as it stands less than 5% of professionals in organisations within the sector identify as being from minority ethnic backgrounds. The steps involve a data drive, asking the UK’s environmental NGOs and charities to annually report on the […]

Chloe Smith in Health Sector

Billions To Be Raised By Health And Social Care Levy, Massive Reforms To Adult Social Care Underway

COVID backlogs and reforms to adult social care underway with the Health and Social Levy implemented to raise billions. The Health and Social Care Levy has commenced from Wednesday 6th April in order to raise the billions needed for the COVID backlog, as well fund reforms to routine services. In total, £39billion will be implemented […]


NATO Identifies Emerging And Disruptive Technologies – UK To Headquarter The Defence Innovation Hub

NATO to implement the DIANA programme to maintain technological advantage: UK and Estonia to partner on the programme. Critical technologies will be seeing transatlantic cooperation, as the UK is set to be the host of the European HQ of the Defence Innovation Accelerator (DIANA), a programme set for NATO allies to accelerate, test, evaluate and […]

Chloe Smith in Transport

New Bus Scheme Set To Increase Public Transport Use by 10%

20% to 40% ticket price reduction on Cornish buses backed by £23.5m government grant A pilot of cut-fare prices has begun in Cornwall, allowing residents and visitors to enjoy cheaper prices around the far south-west of England. The county has benefitted from a ticket price reduction of between 20% and 40% to incentivise more people […]

Chloe Smith in NonProfit

Legal Proceedings Issued After National Lottery Licence Announcement

For the first time since The National Lottery started, Camelot will not be Preferred Applicant for the National Lottery licence.   A legal battle has been issued by National Lottery operator, Camelot, against the Gambling Commission after it was revealed that Allwyn Entertainment UK was its Preferred Applicant for the fourth National Lottery licence – […]

Chloe Smith in Tech

What Is Colocation And Why Are Datacentres Being Built On Sewage Plants?

Datacentres could be made more environmentally friendly if collocated with sewage treatment plants, suggests Tomorrow Water.   The idea is that heated water from a datacentre can be used to boost wastewater processing, and some of the treated water can then become the cooling water for the datacentre. The arrangement cuts the energy process required […]