GDPR: €2.92 billion in fines in Europe by 2022
Law firm DLA Piper’s GDPR and data breach research shows that fines have increased by 168% over the past 12 months to a record €2.92 billion. Data protection agencies are now turning their eyes to artificial intelligence.
European data regulators issued a record €2.92 billion in fines last year, a 168% increase from 2021 (about €1.1 billion). That’s according to a recent GDPR and Data Breach study by international law firm DLA Piper, which covers the 27 member states of the European Union, plus the UK, Norway, Iceland and Liechtenstein. This year’s largest fine of €405 million was imposed by Ireland’s Data Protection Commissioner (DPC) on Meta Platforms Ireland Limited against Instagram for allegedly breaching the protection of private children’s data. The Irish DPC also fined Meta €265 million for failing to comply with its GDPR obligation to protect data by design and default. Both fines are currently being appealed.
Despite the overall increase in fines from January 28, 2022, the €746 million fine imposed on Amazon by the Luxembourg authorities last year remains the largest ever imposed by an EU-based data regulator (although the e-commerce giant has yet to also apply). The report also noted that regulatory attention to the use of artificial intelligence (AI) has increased significantly, while the volume of data breaches reported to regulators has decreased slightly compared to the previous year’s total.
The authorities are more confident, the fines are increasing
The latest edition of the GDPR and Data Breach Survey showed a significant year-on-year increase in the total value of General Data Protection Regulation fines. “This increase reflects the growing confidence of regulators and their willingness to impose higher fines for GDPR violations, particularly against large technology providers, and was also influenced by the strongly inflated EDPB (European Data Protection Board),” the report said. “Local data protection authorities will no doubt be watching the EDPB’s decisions under the GDPR compliance mechanism with interest. The latter resulted in a significant increase in the final sanction imposed on fines,” he added.
The survey also highlighted the impact of some notable decisions taken by data protection supervisory authorities this year regarding the application of the Schrems Chapter II and V requirements of the GDPR on extraterritorial transfers of personal data. Ross McKean, chairman of the UK’s data protection and cyber security group, said: “This year’s Irish DPC fines targeting the behavioral advertising practices of social media platforms have the potential to be just as far-reaching for the future of ‘big business’, the heart of today’s ‘free’ internet. Considering what’s at stake If we do, we can expect years of appeals and litigation. The legislation is far from being able to address these questions”. The list of the total amount of GDPR fines imposed since 25 May 2018 is Ireland (€1,303,514,500), Luxembourg (€746,345,675 ) and France (428,238,300 euros), Great Britain (59,242 euros) is in seventh place.
AI in the eyes of regulators
The report says that European CNILs are focusing more on the use of artificial intelligence and the role that personal data plays in shaping AI technology. “It affects every industry, from process automation, machine learning, chatbots, facial recognition to virtual reality and more. Personal data is often the fuel that powers AI used by companies. They help to tailor search parameters, determine behavioral trends and predict possible future outcomes,” the report said. As many AI systems use personal data, the regulation of these systems often falls within the scope of the GDPR. “Several data protection supervisory authorities have issued guidance on the use of personal data for AI this year,” the study adds.
In May 2022, the UK ICO fined facial recognition company Clearview AI £7,552,800 for breaching data protection laws for using images of people’s faces and publicly available data. The ICO claimed that the company collected more than 20 billion images and data of people’s faces from publicly available data on the internet and social media platforms around the world. All with the intention of creating an online database, without informing people that their images are being collected or used in this way.