Toen de Algemene Verordening Gegevensbescherming (AVG) in 2018 van kracht werd, luidde dit op papier een nieuw tijdperk van gegevensbescherming in de EU in. Consumenten kregen middelen om hun fundamentele rechten te verdedigen, terwijl toezichthouders onderzoeksbevoegdheden en de mogelijkheid kregen om inbreuken met forse boetes te bestraffen. Bijna zeven jaar later blijkt de werkelijkheid echter een stuk minder rooskleurig. Ter gelegenheid van de Europese dag van de Privacy op 28 januari analyseerde noyb de actuele statistieken van de EDPB over de (in)activiteit van nationale DPA's. Uit de cijfers blijkt dat gemiddeld slechts 1,3% van de zaken bij deze autoriteiten eindigt in een boete. Toch benadrukken gegevensbeschermingsprofessionals dat boetes de meest effectieve manier zijn om bedrijven te dwingen zich aan de wet te houden. Het artikel gaat verder in het Engels.
Strict GDPR enforcement only on paper. When the General Data Protection Regulation (GDPR) came into force in May 2018, it promised a shift towards a serious approach to data protection. European consumers affected by privacy violations were given the necessary tools to complain to their national data protection authorities (DPAs) – which were equipped with the necessary powers to investigate all kinds of breaches and issue administrative fines to prevent similar offences in the future. Unfortunately, the last 7 years have shown that this has mostly been wishful thinking. This is confirmed by a new noyb analysis of EDPB statistics on the authorities’ activity between 2018 and 2023: On average, merely 1.3% of cases before the DPAs actually result in a fine. This is consistent with our own practical experience: Most cases are dragged out over multiple years, before they’re closed with a settlement or entirely thrown out.
Max Schrems: “European data protection authorities have all the necessary means to adequately sanction GDPR violations and issue fines that would prevent similar violations in the future. Instead, they frequently drag out the negotiations for years – only to decide against the complainant’s interests all too often.”
No real positive example. While some data protection authorities appear to impose far more fines than others, the figures are all in the single-digit percentage range – or even lower. Having imposed fines in 6.84% of all cases (counting both complaints and own-initiative investigations) between 2018 and 2023, the Slovakian DPA is leading the statistics. It is followed by Bulgaria (4.19%), Cyprus (3.12%), Greece (2.65%) and Croatia (2.54%). At the other end of the spectrum, the Dutch authority has issued fines in 0.03% (!) of all cases, closely followed by France (0.10%), Poland (0.18%), Finland (0.21%), Sweden (0.25%) and of course Ireland (0.26%). The remaining countries are somewhere in between.
Click here to see the fully interactive version of the map below.
Click here to see the fully interactive version of the map above.
A phenomenon specific to data protection. This apparent lack of serious consequences for breaches of the law seems to be very specific to data protection. Let’s take Spain as an example: In 2022, the Spanish DPA received 15,128 complaints, but issued only 378 fines. This means that, statistically, only 2.5% of all complaints ended in a fine. This includes obvious breaches such as unanswered access requests or unlawful cookie banners, which could – in theory - be dealt with quickly and in a standardised manner. By way of comparison: 3.7 million speeding tickets were issued in Spain in 2022 (excluding the Basque Country and Catalonia). A similar comparison can be made for basically any other EU Member States.
Max Schrems: “Somehow it's only data protection authorities that can't be motivated to actually enforce the law they're entrusted with. In every other area, breaches of the law regularly result in monetary fines and sanctions. At the moment, DPAs often seem to be acting in the interests of companies rather than the people concerned."
The data shows: more fines = more compliance. While these numbers are hardly surprising, they’re alarming nonetheless. A noyb survey among data protection professionals shows that it is precisely monetary fines that motivate companies to comply with the law. When asked about the most effective enforcement measures, 67.4% of respondents said that DPA decisions against their own company that include a fine will influence decision makers to opt for more compliance. Interestingly, 61.5% of respondents said that even DPA fines against other organisations would influence their own company’s GDPR compliance.
Click here to see the fully interactive graph below.
Click here to see the fully interactive graph above.
Imposed fines are a joke. Taking a closer look at the amount of fines the national authorities impose every year, makes the issue even clearer. Ireland (€475,902,000 average fine amount/year) and Luxemburg (€124,395,729 average fine amount/year) are leading the statistics between 2018 and 2023 by far. At first glance, that might sounds like a lot of money. But it really isn’t. Almost all major tech companies like Apple, Google, Meta and Microsoft are located in Ireland, making the Irish DPC the lead authority for some of the biggest cases ever. Luxembourg, on the other hand, is responsible for companies like Amazon. In reality, the DPC has to be forced to its own good fortune. noyb’s two biggest cases against Meta had to take a detour to the EDPB before the DPC finally fined the company a total of almost €1.6 billion. If you take away this sum, there’s not much left.
More budget, more decisions? Some authorities repeatedly argue that they would only need more budget and resources to make more timely – and high-impact - decisions. Looking at the EDPB statistics, the authorities’ budget increased up to 130% between 2020 and 2024. The Dutch authority, for example, recorded a budget increase of 62% within four years – without a significant increase of fines imposed. To put this into perspective: In 2023, the Dutch DPA had a budget of almost €37 million, but only imposed imposed €1.98 million in fines. This is a difference of almost €35 million, which will leave a huge hole in the state budget. However, this shortfall could be offset by strong enforcement. GDPR fines go to the state of the leading authority.
Click here to see the fully interactive graph below.
Click here to see the fully interactive graph above.
Almost 40% of all fines thanks to noyb. This pattern can be seen throughout the EU: Between 2018 and 2023, all EU data protection authorities imposed a combined total of €4.29 billion in fines – of which €1.69 billion resulted from noyb litigation. In other words: Almost 40% of all GDPR fines trace back to noyb. This means that, in reality, there rather seems to be a lack of political willpower to stand up against tech giants than a lack of possibilities to act.
