GDPR: Europe Counts 65,000 Data Breach Notifications So Far$63 Million in Fines Imposed Since Privacy Law Went Into Full Effect
European privacy authorities have received nearly 65,000 data breach notifications since the EU's new privacy law went into full effect. In addition, regulators in 11 European countries have imposed $63 million in General Data Protection Regulation fines.
So says a new European Data Protection Board report that provides the "first overview on the implementation of the GDPR and the roles and means of the national supervisory authorities," or SAs.
The Brussels-based EDPB is an independent European body, created as part of GPDR, which went live on the same day as the start of the regulation's enforcement: May 25, 2018. The EDPB's mandate is to ensure that data protection rules get applied consistently throughout the EU, as well as encourage the EU's data protection authorities to cooperate.
The report draws on data provided by many countries in the European Economic Area, which includes all 28 EU member states as well as Iceland, Liechtenstein and Norway, which also comply with GDPR.
Report Reviews GDPR's First 9 Months
Data in the report covers the first nine months of GDPR having gone into full effect. "The total number of [GDPR] cases reported by SAs from 31 EEA countries is 206,326," the report says.
Such cases include complaints. Under article 77 of GDPR - "Right to complain to a supervisory authority" - Europeans can file complaints with regulators about organizations' data protection practices, as they were also able to do before enactment of the new regulation.
Such cases also include data breach notifications. Among its provisions, GDPR requires organizations that suffer a breach that may have exposed Europeans' personal information to notify relevant authorities.
"The majority of the cases are related to complaints, notably 94,622, while 64,684 were initiated on the basis of data breach notification by the controller," the EDPB report says. Of these cases, 52 percent have been closed and 1 percent are the subject of lawsuits before national courts.
Goals: Consistency, Cooperation
The EDPB report also serves as a status check on how SAs are approaching the new privacy law. The board concludes that GDPR is being applied consistently across member states, backed by extensive cooperation among privacy authorities.
"From May 25, 2018, to February 18, 2019, no dispute resolutions were initiated. This means that up to now, the SAs were able to reach consensus in all current cases, which is a good sign in terms of cooperation," according to the report.
The board says this is due in no small part to a pre-existing IT system - the Internal Market Information system, or IMI - having been repurposed to support supervisory authorities. "This system provides a structured and confidential way to share information among the SAs" and went live on the day that GDPR went into full effect, the report notes.
"The feedback of the national regulators on this system is really positive," the report says. "A dedicated expert subgroup has been created to ensure the continuous enhancement of the system on the basis of the feedback collected via a dedicated IT helpdesk support provided to the EDPB members by the EDPB Secretariat."
The IMI system gives European privacy regulators a single version of the truth. "Before a case is produced in the case register of the system, the competent authorities have to be identified," the EDPB says. "This registry is the central database from which different procedures can be started, such as the mutual assistance, joint operation and one-stop-shop mechanism."
Any EU member state can initiate a GDPR investigation into an organization's data security and privacy practices. But any organization that has its "main establishment" in a European country - in other words, a European headquarters - can qualify for a one-stop-shop mechanism under GDPR that ensures that only the privacy watchdog in the country in which it is headquartered conducts any privacy investigations.
That's put Ireland in the forefront of many investigations because Facebook and many other companies have their European headquarters there (see: 15 GDPR Probes in Ireland Target Facebook, Twitter, Others). Other technology firms with European headquarters in Ireland include Apple, Microsoft, Twitter, Dropbox, Airbnb, LinkedIn, Oath, WhatsApp, Yelp and MTCH Technology, which owns Match, OkCupid, PlentyOfFish and Tinder. Google is in the process of making Ireland its EU main establishment.
Since GDPR went into effect, six one-stop-shop cases have been launched, the EDPB report says.
Where there is no one-stop shop mechanism in place, for cross-border organizations, SAs from involved countries must reach an agreement about who will take the lead.
"Since May 25, 2018, 642 procedures have been initiated to identify the lead SA and the concerned SAs in cross-border cases," the EDPB report notes. Of those, 306 of the cases have been closed.
"Up to now, no dispute arose on the selection of the lead SA," it adds, which means that cross-border cooperation appears to be working.
Data Breach Reports Increase
The EDPB's report - again, examining the first nine months of GDPR going into full effect - serves as an update for research released by law firm DLA Piper that examined the first eight months of GDPR (see: Data Breach Reports in Europe Under GDPR Exceed 59,000).
"Based on our own research covering 23 of the 28 EU member states, together with figures for Norway, Iceland and Lichtenstein - the three additional European Economic Area member states - we calculate that there have been 59,430 reported data breaches over the same period across Europe," DLA Piper said. "The Netherlands, Germany and the United Kingdom came top of the table with the largest number of data breaches notified to supervisory authorities with approximately 15,400, 12,600 and 10,600 breaches notified respectively."
The EDPB findings include some similar caveats, in that not every EU or EEA member has shared data. Notably, data from the U.K. is absent from all charts contained in the EDPB's report. Britain's privacy regulator, the Information Commissioner's Office, did not immediately respond to a request for comment.
The steady increase in data breach notifications - most recently from 59,000 as of January to 65,000 in February - does not mean that breaches are occurring more or less frequently, says Brian Honan, who leads Dublin-based information security consultancy BH Consulting. Rather, more breaches are simply being brought to light thanks to GDPR's mandatory breach notifications.
Breach Awareness Boost
Paul Chichester, operations director at Britain's National Cyber Security Center - the public-face arm of intelligence agency GCHQ - says that while GDPR is bringing breaches to light, he doesn't think their frequency has shifted much over the past year.
"I don't think it's dramatically changed the number or volume of breaches that we've been seeing," he told Information Security Media Group during a press conference at NCSC's recent CyberUK conference in Glasgow, Scotland (see: Cybersecurity Drives Intelligence Agencies in From the Cold).
"What has massively changed is awareness," he said. "People are much more interested in preparing for breaches, and we have seen people preparing for what they want to do after a breach."
For Europeans as well as privacy advocates, that may well be the best measure of whether GDPR is gauged to be a success.