Schrems II is a thorn in the side of EU data transfers, as Google urges EU to ‘speed up’ finding a replacement for Privacy Shield.
The General Data Protection Regulation (GDPR) is hailed as the most consumer friendly privacy legislation and fines for breaching it have grown by nearly 600% last year to in excess of €1 billion.
Since the 28th of January 2021, data protection authorities in the EU (plus the UK, Norway, Iceland and Liechtenstein) have had to deliver a combined total of nearly €1.1 billion in fines, according to research from law firm DLA Piper. This is a sharp increase from just €158.5 million in 2020.
Compromised firms telling regulators about breaches rose more slowly, 356 breach notifications every day – which is an 8% increase. When judged on a per capita basis, the Netherlands topped the rankings.
Since coming into force in 2018, the GDPR has been forcing companies to declare their legal basis and reasoning for collecting users’ data; it stops them sending that data out to certain regions for processing and they must declare any data breach within 72 hours.
The fine for failure of compliance is as much as 4% of global annual turnover, or €20 million, depending on which is higher.
The highest individual fine last year was given to Amazon, as Luxembourg handed out a €746 million penalty to the e-commerce giant, followed by a €225 million penalty against WhatsApp given by Ireland, and €50 million against Google in December 2020 handed out by France. Luxembourg and Ireland also topped the list of countries issuing the highest aggregate fines, followed by Italy.
The Schrems II judgement in July 2020 continues to be the top data protection compliance challenge for many organisations caught by GDPR, despite the growth in fines, according to DLA Piper. The transfer of personal data outside the EU and UK has strict limitations imposed by both Schrems II and Article V of the GDPR, with Schrems increasing the compliance burden on firms with the Schrems judgement requiring detailed risk assessments.
Google has called on the EU to speed up the process of finding a suitable replacement for Privacy Shield, after Schrems II invalidated it, leaving companies covered with standard contractual clauses (SCCs) in place. Cloud companies like Microsoft and AWS can use SCCs as a legal mechanism for data transfer but other firms cannot, such as Meta, and after Austria’s data protection regulator ruled that Google Analytics breaks GDPR its left with the EU to work to find a replacement.
“The threat of suspension of data transfers is potentially much more damaging and costly than the threat of fines and compensation claims. The focus on transfers and the significant work required to achieve compliance inevitably means that organisations have less time, money and resource to focus on other privacy risks”
Ross McKean, Chair of the UK Data Protection and Security Group at DLA Piper