22nd January, 2020

Data protection authorities across the European Union have issued €114 million in fines under the GDPR since the new privacy rules came into force approximately 20 months ago, according to a new survey from DLA Piper. A significant number of data breaches have been reported in Malta according to the survey.  In fact Malta ranks 12th (a 3 place drop) in the ranking of the highest per capita country ranking of breach notifications.

The report also reveals that the value of fines is likely to increase as the scheme has matured and the authorities have adopted a more consistent approach to calculating the penalties. Furthermore, following are the key findings of the survey:

  • France, Germany and Austria have imposed the highest fines to date, at €51m, €24.5m and €18m respectively;
  • Over 160,000 data breach notifications have been reported across the 28 EU Member States plus Norway, Iceland and Liechtenstein since 25 May 2018;
  • The daily rate of breach notifications has increased by 12.6% from 247 notifications per day for the first eight months of GDPR (25 May 2018 to 27 January 2019), to 278 breach notifications per day for the current year;
  • The Netherlands, Germany and the UK topped the table for the number of data breaches notified to the authorities with 40,647, 37636 and 22,181 notifications respectively;
  • Italy, Romania and Greece reported the fewest number of breaches per capita.

“We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity,” said McKean.

Malta Statistics:

Malta is among one of the 23 EU member states which have imposed administrative fines under the GDPR. According to the findings of the survey:

  • €35,500 administrative fine have been imposed by the Information and Data Protection Commissioner (IDPC) in 20 months of the GDPR; (It is importance to mention that the IDPC has a policy not to make fines public so the fines could be actually higher.)
  • Total number of data breach notifications received by the IDPC is 239 since the GDPR came into force on 25th May 2018;
  • Number of data breaches per 100,000 people for the period 28 January 2019 to 27 January 2020 is 31.

During the GDPR – One Year On Conference organised by 21 Academy and 21 Law on the 5th June 2019, the IDPC had stated that during the first year of GDPR, it had taken a mild approach towards imposing of fines on the organizations but now it would be stricter in order to implement and enforce the GDPR and the Data Protection Act, 2018 in their true spirit. During the forthcoming GDPR – Two Years on Conference, being organised on the 27th May 2020, the speakers will go in-depth of the most interesting cases both locally and through the other Member States. Further information about the conference may be found through the following link.

Download and read the full ‘DLA Piper data breach survey by clicking on this link.