GDPR: Analysis of Five Years of Enforcement

Nov 16, 2023 | Blog

Audience-Role: CISO, Management  |  Sector: Cross-sector

Table of Content

  • Introduction
  • What Is the GDPR and Why It Is Relevant For All Organizations?
  • Analysis of the GDPR’s Enforcement
  • Most active countries in GDPR enforcement
  • GDPR fines by sectors
  • Most frequent types of violations
  • GDPR and AI

Executive Summary

This report provides insight into the enforcement trends of the EU’s General Data Protection Regulation (GDPR) over five years. It identifies high-risk countries, sectors, and common violation types to assist organizations in evaluating their compliance vulnerabilities effectively.

  • QuoIntelligence’s analysis shows that Data Protection Authorities (DPAs) in Spain, Italy, and Germany are more active in GDPR enforcement, drawing a higher risk of being prosecuted for organizations operating in these countries.
  • We identified that the sectors most at risk of being sanctioned by the DPAs and to face higher fines are industry and commerce as well as media, telecoms, and broadcasting. The transportation and energy sectors are also more likely to face high penalties.
  • QuoIntelligence’s analysis underlines that the most recurrent types of violations stem from the failure to secure adequate consent, prove the necessity for data processing, and implement sufficient data security measures. This highlights the intensified focus of DPAs on these infractions and the corresponding compliance challenges that companies face.
  • Our research emphasizes that AI applications are poised to come under the scrutiny of DPAs in the near to short-medium term as for now, the GDPR currently serves as the legal and enforcement framework applicable to these applications.
  • The above findings equip organizations with essential insights for executing their GDPR risk assessments and developing their compliance strategies, highlighting areas where heightened vigilance is necessary.

Introduction

As data privacy concerns escalate globally, the GDPR has emerged as the most comprehensive and advance legislation for data protection and privacy rights. Drawing from the data of 5 years of the GDPR enforcement, this report seeks to provide a comprehensive understanding of GDPR as well as the implications of its enforcement to organizations worldwide.

Our first section, “What Is the GDPR and Why It Is Relevant For All Organizations,” details the fundamentals of this robust regulatory framework, the nature of its global applicability, and its significant impact on business operations.

The subsequent section, “Analysis of the GDPR’s Enforcement,” offers a geographical overview of GDPR regulatory activities, delving into the countries that have shown significant rigor in enforcing the GDPR. We will also scrutinize the sectors most affected by GDPR penalties, providing insight into the industries that are in the radar of national Data Protection Authorities (DPAs). Additionally, we identify the most recurrent GDPR violations in cases prosecuted by DPAs to help organizations prioritize their data protection strategies effectively. Lastly, this report will explore the intersection of artificial intelligence (AI) and the GDPR given AI’s intrinsic reliance on large datasets for functionality and advancement.

By detailing these critical facets of GDPR, this report aims to offer an essential tool for any organization navigating the increasingly intricate landscape of data protection and privacy rights.

What Is the GDPR and Why It Is Relevant For All Organizations?

The General Data Protection Regulation (GDPR) stands as the archetype of global data protection laws. The GDPR was adopted in 2016 at the EU level and is enforced by the national Data Protection Authorities (DPAs) since May 2018. It imposes severe regulations on how companies handle, process, and secure the personal data of EU citizens, irrespective of the geographical location of the organization. In fact, the GDPR has a broad territorial scope, applying not just to organizations based in the EU, but also to those outside the EU which offer goods or services to, or monitor the behavior of, EU data subjects.

The GDPR is built upon several foundational principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. It obliges organizations to follow these principles to uphold the rights of data subjects, which include the right to access, the right to rectification, the right to be forgotten, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision-making and profiling.

One of the most notable features of the GDPR is the substantial fines it imposes for noncompliance. Organizations can be fined up to EUR 20 million or 4 percent of their annual global turnover for severe infringements, whichever is higher. The regulation also mandates data breach notifications, requiring rapid action to mitigate any potential harm to data subjects.

For organizations, understanding and adhering to the GDPR is not just a matter of legal compliance, but also an investment in consumer trust and reputation. As privacy concerns continue to grow, businesses that can demonstrate rigorous data protection measures are more attractive to consumers, a factor that may significantly impact the competitive dynamics of many industries. Additionally, non-EU organizations that fail to comply may find themselves barred from the lucrative EU market.

Furthermore, the GDPR’s influence extends far beyond Europe’s borders due to what is known as the Brussels effect. This phenomenon refers to the tendency of companies worldwide to adopt EU standards in an attempt to maintain access to its large and affluent market. In essence, the GDPR, through the Brussels effect, has become a de facto global standard for data privacy.

The GDPR’s global influence highlights a new dimension of regulatory power, whereby rules made in one jurisdiction become impactful worldwide. It is vital, therefore, for organizations worldwide to understand the GDPR and ensure their data practices are in alignment to not only prevent financial penalties but to secure their standing in an increasingly data-conscious world.

Five years after the DPR came into force, the regulation has had a significant impact on organizations, even more so since data has become crucial in an increasingly digitalized world. These five years have been marked by high-profile cases against US tech giants with record fines. But the enforcement of GDPR has mostly seen hundreds of cases affecting private and public entities from all sectors, across all countries of the EU, with small and large fines. QuoIntelligence analyzes the trends emerging from public data on GDPR enforcement1 to bring the light on most affected sectors, countries issuing more fines, and regulatory violations resulting in more penalties.

Most active countries in GDPR enforcement

Map 1: Most active countries in enforcing the GDPR since 2018.

National DPAs have adopted different approaches in enforcing the GDPR. Spain is the most dynamic country by far in sanctioning GDPR violations. It represents about 40 percent of all fines issued since 2018, with consistency over the years.

Nevertheless, the Spanish Data Protection Authority resorts to smaller fines compared to other countries. In fact, despite being the most active country in GDPR enforcement, Spain is only in sixth position in terms of the amount of fines.

Italy comes behind Spain in number of fines imposed since 2018. The public sector and education are the most fined sector, followed by health care, industry and commerce, and media, telecoms, and broadcasting. In 2022, individuals and private associations entered in the top 3 of most fined sectors in Italy, representing 17 percent of all fines. Regulators have mainly imposed fines for insufficient legal basis for data processing and non-compliance with general data processing principles. Notable fines imposed by the Italian data protection authority in 2022 include a EUR 4.9 million fine on Edison Energia SpA for illicit telemarketing activities as the company used contact lists from third parties which did not comply with the need to ensure the subjects’ consent.

Figure 1: Sectors most fined by the Italian DPA in 2022

Germany is in third place of most active countries in GDPR enforcement. Notably, the German DPAs (at federal and state level) have imposed more fines on individuals and private associations, which represent 50 percent of all fines. Among the individuals fined are numerous public servants using public data bases for personal purposes. In 2022, the health care sector was first affected by GDPR enforcement, followed by individuals and private associations. Nevertheless, Germany’s data protection authorities only publish a fraction of the cases they pursue. Insufficient legal basis for data processing is the main violation behind most fines representing about 50 percent of all fines, alike most countries.

The German data protection authorities have also imposed numerous fines for insufficient technical and organizational measures to ensure information security, accounting for 17 percent of all fines. These cases include condemnations for outdated websites and applications with security vulnerability, data breaches, and the disposal of personal data in the public waste system.

The highest GDPR fine issued by German DPAs is a EUR 35,26 million fine on H&M in 2020 for insufficient legal basis for data processing of employee personal data.

Figure 2: Most fined sectors by the German DPAs since 2018

GDPR fines by sectors

Industry and commerce are the sectors most fined sector in the framework of GDPR enforcement, followed by media, telecoms, and broadcasting. Individuals and private associations come in third position and public sector in fourth.

This does not mean these sectors are more inclined to violate the GDPR. However, this can be an indication on focus points adopted by the different national DPAs. As such, organizations from most fined sectors should consider this aspect while conducting risk assessment regarding GDPR enforcement. Also to be considered is the average amount of fines by sectors.

This variable shows that media, telecoms, and broadcasting as well as industry and commerce are also the sectors with the highest average fines. For the media, telecoms, and broadcasting sector this is likely due to high-profile cases with record fines imposed on social media platforms such as the EUR 1,2 billion fine issued against US tech giant Meta by the Irish Data Protection Commission in May.

Notably, even though few fines have been imposed on the transportation and energy sectors comparatively, the average fines are high. This could indicate that violations are less frequent but more serious.

Additionally, the revenue of fined companies matters, as the penalties for severe infringements can be up to 4 percent of the organization’s annual revenue from the preceding year. This particular aspect can significantly raise the number of fines for large international firms and as such should be included in any risk assessment.

Figure 3: Fines by sectors for all EU countries since 2018

Most frequent types of violations

DPAs evoke three types of violations in most cases of GDPR infringement, representing 74 percent of all fines since 2018.

  • Insufficient legal basis for data processing (articles 5 and 6)
  • Non-compliance with general data processing principles (article 5)
  • Insufficient technical and organizational measures to ensure information security (article 32)

The article 5 of the GDPR sets the principles relating to processing of personal data which are:

  • Lawfulness, fairness, and transparency: data should be processed lawfully, fairly and in a transparent manner.
  • Purpose limitation: personal data should be collected for specified, explicit, and legitime purposes.
  • Data minimization: data collection should be adequate, relevant, and limited to what is necessary in relation for the purpose of their processing.
  • Accuracy: collected data should be kept accurate.
  • Storage limitation: data collected should be stored only for the period necessary for the purpose of their processing.
  • Integrity and confidentiality: entities processing data should ensure their integrity and confidentiality.
  • Accountability: entities collecting and processing data should be responsible and able to demonstrate compliance with the principles mentioned above.

The first principle is further explained in article 6 as it defines the circumstances in which an entity can collect and proceed personal data:

  • With explicit consent of the data subject.
  • When it is necessary in the framework of a contract between the entity and data subject.
  • When it is necessary for the entity to meet legal obligation.
  • When it is necessary to protect the vital interests of the data subject or of another natural person.
  • When it is necessary in the framework of task of public interest.
  • When it is necessary for the entity’s legitimate interests (except if these are overridden by the interests or fundamental rights of individuals).

Organization must ensure their data collection and processing strictly comply with the principles and conditions described in articles 5 and 6 of the GDPR. This is particularly vital as noncompliance with these two articles represent 56 percent of all fines issued in the EU since 2018.

  • Insufficient technical and organizational measures to ensure information security (article 32)

The violation of article 32 of the GDPR represents 18 percent of all fines imposed by DPAs in the EU since 2018. This article sets high standards for entities to ensure the security of data they collected and process, including in the event of cybersecurity technical incidents or data breaches.

It also requires companies to consider third-party risks. Notably, in January 2021, the French DPA imposed a €150,000 fine on an organization and a €75,000 fine of on its data processor for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. This decision emphasized that organizations must implement appropriate security measures themselves and provide documented instructions to their data processors to comply with the GDPR.

Under the article 32 if the GDPR, entities behind data collection as well as their data processors are required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the latest technological developments and the sensitive nature of collected data. As such organizations must assess the risk posed by accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Appropriate measures include:

  • The use of data pseudonymization and encryption.
  • The ability to ensure confidentiality, integrity, availability, and resilience of processing systems and services.
  • The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • Regular testing and evaluation of the effectiveness of technical and organizational measures for ensuring the security of processing.

Figure 4: Most frequent violations of the GDPR, all EU countries, since 2018

GDPR and AI

Given the increasing prevalence of artificial intelligence (AI), DPAs are set to investigate further generative AI tools. This is even more likely because machine learning requires the collection and processing of massive amount of data.

In April, the Italian DPA temporary banned ChatGPT in Italy over data privacy concerns. Following this decision other national DPAs increased oversight on ChatGPT and similar AI projects.

The EU is currently working on an Artificial Intelligence Act which will establish obligations for providers and users based on the level of risk posed by AI:

  • Unacceptable risk results from AI systems considered a threat to people and will be banned. This includes applications such as cognitive behavioral manipulation, social scoring, and real-time and remote biometric identification systems.
  • High risk results from AI systems that negatively affect safety or fundamental rights. These systems will be assessed previously being put on the market and throughout their lifecycle.
  • Limited risk AI systems will still have to comply with the GDPR.

EU regulators are expected to adopt the EU’s Artificial Intelligence Act before the end of the year. Though there is no specific AI legislation applying in the EU at the moment, national DPAs are stepping in, demonstrating that the GDPR provides a legal framework and enforcement options applicable to new technologies such as AI.

As more and more companies are introducing AI projects in their operations, they should carry out a risk assessment and ensure compliance with the GDPR as the use of generative AI has far-reaching implications for data privacy.

Conclusions

The GDPR’s rigorous data protection standards, stern enforcement, and heavy fines for noncompliance underline the seriousness on its implications for organizations at a global level, even more so given the increasingly digitalized nature of today’s economy.

The enforcement analysis indicates a persistent and rigorous approach from DPAs, particularly in Spain, Italy, and Germany. As such, organizations operating in these countries need to be proactive and robust in their data protection measures.

Similarly, companies from the industry and commerce or media, telecoms, and broadcasting sectors should be particularly vigilant in their GDPR compliance strategies as they are effectively more likely to be prosecuted for GDPR violations and face higher fines comparatively. Notably, the transportation and energy sectors are also concerned by high penalties.

These trends need to be taken into consideration by organizations as GDPR fines can be significative for large firms as they can represent up to 4 percent of annual revenue. The most recurring types of violations underline common areas of oversight or struggle in GDPR compliance, providing a clear roadmap for organizations to be particularly cautious in these areas. These often center around failure to obtain adequate consent and demonstrate necessity for data processing, as well as insufficient data security measures.

The prompt reaction from national DPAs in investigating ChatGPT shows the GDPR is set to address the data protection and privacy challenges posed by new technologies such as AI. Balancing AI innovation with data privacy demands is a new frontier for many organizations, requiring proper risk assessment and adaptability.

Overall, understanding and navigating the GDPR is not merely a legal necessity, but a business imperative. Fostering a strong culture of data protection and privacy rights will not only prevent financial penalties but also build consumer trust and competitive advantage. As GDPR enforcement continues to evolve and shape the global data protection landscape, organizations must remain attuned to changes, respond effectively, and stay ahead of the compliance curve.

Written by Alixia Rutayisire, Geopolitical Cyber Threat Intelligence Analyst at QuoIntelligence.

Alixia Rutayisire is an accomplished Geopolitical Analyst with extensive experience in cybersecurity and international relations. Prior to her role at QuoIntelligence, she served as a Geopolitical Analyst for West Africa at the Ministère des Armées in France from April 2018 to July 2022. In this role, she was responsible for analyzing geopolitical risks, including political and security situations, as well as internal and international conflicts.

Keep up to date

To keep up with the latest cyber and geopolitical threats, subscribe to QuoIntelligence’s Weekly Intelligence Newsletter, published every Thursday around 1900 CET.

Related posts:

No related posts.