In 2023, European regulators imposed a total of 1.78 billion euros in fines for violations of the General Data Protection Regulation (GDPR) – this is according to a report by the law firm DLA Piper “GDPR Fines and Data Breach Survey”. This represents a 14 percent increase compared to 2022, largely due to the record fine imposed on Meta, the owner of Facebook and Instagram. In terms of the number of reported violation cases, Poland ranked third in Europe last year, after Germany and the Netherlands.
As estimated by DLA Piper experts, the total value of fines imposed on companies since May 2018, when the GDPR came into effect, has already reached 4.68 billion euros. Under the GDPR, European regulators can impose fines of up to 4 percent of a company’s total annual revenue.
Last year, the Irish regulator imposed the highest fine of 1.2 billion euros on Meta, ordering the American company to stop transferring personal data from Europe to the USA at the same time. Ireland and Luxembourg, where global tech companies have their European headquarters, lead in total fines imposed since the regulations came into effect. The Irish Data Protection Commission has so far imposed fines on companies amounting to 2.86 billion euros, while the Luxembourg supervisor – 746 million euros.
In this European ranking, Poland holds the sixteenth place. Over the last six years, the Polish Personal Data Protection Office (UODO) has ordered companies to pay fines totalling 3.5 million euros. In Central and Eastern Europe, only Croatia and Bulgaria were ahead of Poland with fines of 9 million and 3.7 million euros respectively.
– Social media sites and large tech companies remain the focus of regulators in all countries covered by our report and they are the ones on which the highest fines have been imposed since the GDPR regulations came into force. The issue of collecting, processing, and monetizing personal data by tech companies will remain the focus of supervisors in the coming years – says Ewa Kurowska-Tober, partner at DLA Piper in Warsaw and co-head of the firm’s Global Personal Data Protection, Privacy and Cybersecurity team.
The firm’s study shows that the number of personal data breaches reported to regulators slightly increased compared to the previous year. In terms of the number of reported cases, Poland ranked third in Europe last year, following Germany and the Netherlands. In the last twelve months, the UODO received 14,167 notifications of personal data security breaches, which represented an increase of 11 percent compared to the previous year.
– Legal uncertainty regarding the GDPR will persist, especially for social media sites and large tech companies, for whom record fines and orders to cease illegal data processing are a constant risk of conducting business in Europe – adds Ewa Kurowska-Tober.
– Moreover, there are still many new rules and regulations regarding data protection and the digital world. Thus, adhering to corporate order and effective risk management becomes a key issue for the proper functioning of companies – concludes the DLA Piper expert.
The DLA Piper study covered 27 EU member states as well as the United Kingdom, Norway, Iceland, and Liechtenstein.
