59,000 breaches reported in first eight months of new GPDR requirements
The law firm DLA Piper surveyed European data protection agencies to tally up data breaches and GDPR fines issued since the GDPR requirements went into effect in May 2018. However, there is still no data on breaches reported to individuals under GDPR Article 34.
According to the survey, Dutch, German, and British authorities all received over 10,000 reports of data breaches. Germany had the most, with over 15,000, while Liechtenstein had the fewest with 15. Per capita, the Netherlands had the most reported breaches, with nearly 90 incidents per 100,000 people, followed by Ireland and Denmark. Italy, meanwhile, has a suspiciously low level of data breaches for the size of its population and economy. The authors theorize that notification culture might not have taken hold there yet.
The kinds of data breaches range from emails mistakenly sent to the wrong recipient all the way up to significant hacks that affected hundreds of thousands of users, like that of British Airways in September 2018.
The survey only included breaches that have been reported to regulators, as per the GDPR requirements under Article 33. It is still unclear how many personal data breaches have been reported directly to data subjects, as under GDPR Article 34. The DLA Piper report also points out that the survey only takes into account self-reported data breaches.
The German data protection authority, LfDI Baden-Württemberg, handed out 64 GDPR fines, which account for more than two-thirds of all the fines reported in the survey. The fines — 91 of them in all — range in size from a €4,800 penalty for an unlawful CCTV system in Austria up to the recent €50 million fine the French data protection agency, CNIL, imposed on Google. The Google fine is the highest yet under the GDPR, but unlike most GDPR fines, it does not pertain to a data breach. Google was cited for processing personal data without receiving valid consent from its data subjects. (Their users’ consent was considered invalid because Google “excessively disseminated” its information about their data processing procedures across several documents.)
The report says to expect more fines in the coming months as the data protection agencies work through their backlog. Whether we can expect to see fines in excess of €50 million (the GDPR caps the penalty for serious infringements at €20 million or 4 percent of the offending company’s worldwide annual revenue, whichever amount is higher) as a regular occurrence remains to be seen.
The report expects challenges to the mechanisms used to determine the size of the fines, mentioning that German legal commentators have argued that using EU competition law principles to calculate GDPR fines violates the principles of proportionality under the European Charter of Fundamental Rights. They assert that local procedural rules (in their case, German regulation) should be applied, which would result in much lower fines. Meanwhile, Sam Millar, a partner at DLA Piper, had this to say: “We anticipate that regulators will treat data breaches more harshly by imposing higher fines, given the more acute risk of harm to individuals.”
The limits of regulators’ power under the GDPR to fine companies will remain murky until the courts weigh in. Google has already announced it plans to appeal its GDPR fine.
What are the GDPR requirements for data breaches
Companies face specific GDPR requirements for how to handle data breach notifications under Articles 33 and 34. Article 33 lays out a company’s obligation to notify its supervisory authority, the relevant national data protection agency. These obligations include disclosing the nature of the data breach, the categories and approximate number of data subjects affected, and the categories and approximate number of records leaked. The company must also describe the measures it has taken to mitigate the breach and make its data protection officer available to answer further questions. All of this is to take place within 72 hours of the discovery of the breach.
The GDPR requirements for notifying data subjects themselves are covered under GDPR Article 34. Article 34 states that a company must communicate the same information as they would under Article 33 to the affected individuals if the “data breach is likely to result in a high risk to [their] rights and freedoms.” A company is exempt from notifying affected data subjects individually if the data exposed in the breach was unintelligible (encrypted), if steps have been taken to effectively mitigate the risk to the data subject, or if the company provides all the required information in a public announcement.
While it may be discouraging to see how many data breaches took place over the past eight months, the GDPR requirements have been effective in driving the problem into the light.