The EU General Data Protection Regulation was violated several times in 2021. GDPR fines totalling over 1 billion euros had to be issued. This is a massive increase compared to 2020.
The aim of the General Data Protection Regulation (GDPR) was to give EU citizens more control over their data and privacy. It was introduced in 2018 and also applies in Iceland, Liechtenstein and Norway, which are not EU members but belong to the European Economic Area EEA. Swiss companies are affected by the GDPR insofar as they are active with branches in EU countries. So in the event of violations, they too could be fined under the GDPR. A new Swiss data protection law is waiting to come into force after lengthy discussions – possibly in mid-2022.
GDPR fines totaling over 1 billion euros had to be issued in 2021
Record-high fines in 2021
Data security services provider Atlas VPN has calculated the DSGVO fines in 2021. According to their data, these amount to over €1 billion, with a total of 412 fines imposed in 2021. The companies that had to pay the highest fines for violations of the GDPR include global companies such as Amazon and WhatsApp, but also various national telecommunications service providers. The extent to which Swiss companies also had to pay GDPR fines is not clear from the information provided by Atlas VPN.
In 2018, when the EU implemented the GDPR law, a total of 436,000 euros in fines were imposed on companies. The next year, 2019, the total fines increased significantly to 72 million euros. Then in 2020, the total value of fines imposed by the end of the year exceeded 171 million euros. However, 2021 far surpassed previous years, producing GDPR fines of more than EUR 1 billion, a 521% increase from the previous year.
Amazon Europe Core S.à.r.l. had to pay the highest fine in 2021 at EUR 746 million. Later, in September, the EU fined WhatsApp Ireland Ltd. €225 million, the second-highest fine in the history of the GDPR. Vilius Kardelis, cybersecurity writer at Atlas VPN, can be quoted as saying, “The GDPR continues to successfully hold companies accountable when they misuse people’s data or are unclear in their privacy policies. Companies have become more responsible in handling their customer data to avoid hefty fines from regulators, ultimately benefiting all EU citizens.” So the efforts to improve data protection seem to be starting to bear fruit.
GDPR fines in country comparison
In some countries, the updated data protection laws have had a significant impact on companies, as they have been subject to appropriate fines under the new system. In Spain, for example, 351 fines were imposed, amounting to €36.7 million. The average fine is around EUR 105,000, which means that Spain has collected by far the most fines compared to all other countries. The biggest “sinners” there turned out to be various telecom providers, above all Vodafone Spain, which had violated the GDPR regulations several times with various marketing activities.
Italy came in second with 101 GDPR fines, for which the companies had to pay almost 90 million euros. The average fine in Italy in 2021 was around EUR 887,000, which is one of the highest compared to other countries. In our southern neighboring country, TIM, a large telecommunications service provider, was also asked to pay. The company had to pay a fine of EUR 27.8 million for improper collection and dissemination of data.
Third on the list is Romania, which imposed a total of 68 penalties that add up to 721,000 euros. Although the country has imposed many penalties, the average is less than 11,000 euros.
New data protection law in Switzerland
Switzerland is also getting a new data protection law. It was passed on September 25, 2020 and is expected to come into force possibly in mid-2022. It is essentially based on the EU’s GDPR and aims to increase transparency in the exchange and processing of personal data, promote the personal responsibility of data operators, and strengthen data protection supervision by the Federal Data Protection and Information Commissioner (FDPIC) / Eidgenössischen Datenschutz- und Öffentlichkeitsbeauftragten EDÖB. The new Swiss data protection act also brings an expansion of the penal provisions with fines of up to 250,000 Swiss francs.