More than 160,000 data breach notifications have been reported across Europe since regulation came into force

The Netherlands has recorded more data breach notifications under GDPR than any other European country, a study has revealed.

The country topped the rankings both in absolute terms – receiving 40,647 breach notifications since the regulation came into force in May 2018 – and per capita numbers, with 147.2 reported breaches per 100,000 residents in 2019.

This was up from 89.8 reports per 100,000 Dutch residents during the first eight months the EU’s data protection regime was in force (May-December 2018).

According to the DLA Piper GDPR Data Breach Survey (PDF), published today, Ireland and Denmark reported the second and third highest number of breach notifications per capita, with 132.5 and 115.4 notifications per 100,000 residents, respectively.

The lowest data breach notification numbers were found in Greece (1.5 per 100,000), Romania (1.9), Italy (2.05), and Spain (2.08).

Cumulatively, Germany (37,636) and the UK (22,181) recorded the second and third highest numbers of breach notifications.

Overall, the report found that more than 160,000 data breach notifications have been reported across Europe since GDPR came into force.

Commenting on the country’s top-three position in the GDPR index, Allan Frank, an ICT security specialist at Datatilsynet, Denmark’s data protection regulator, said: “We don’t see Denmark as more prone to cyber-attack.”

Instead, Frank said, the country’s public and private sectors were accustomed to “reporting to public authorities in different matters” – including data breaches – through a single web portal.

He also told The Daily Swig that “more than 80% of the breaches [PDF, in Danish] are related to sending the information of one data subject to the wrong recipient, often in an otherwise secure manner, so the majority of breaches are not severe.”

More than 160,000 breach notifications have been reported across 31 European Economic Area (EEA) countries since the General Data Protection Regulation came into force in May 2018.

The daily rate jumped 12.6% from 247 breach notifications per day for the first eight months of GDPR to 278 notifications for the subsequent 12 months.

Despite ranking a lowly 23rd for numbers of per-capita breach notifications, France has levied the greatest amount in total GDPR penalties for non-compliance, dishing out €51 million ($56.5 million), followed by Germany (€24.5 million, or $27.2 million) and Austria (€18 million or $20 million).

CNIL, the French regulator, also handed down the biggest individual fine: the €50 million ($55.4 million) imposed on Google for violating consent and transparency principles.

However, that figure could be dwarfed by two fines proposed by the UK regulator (ICO) in July 2019 for data breaches – £183.39 million ($238.4 million) for British Airways and £99.2 million ($128.9 million) for Marriot International.

RECOMMENDED Ireland embraces tech giants in revamped cybersecurity strategy

Regulators across Europe have imposed fines totalling €114 million (US $126 million) under GDPR, but pending UK fines could add another €329 million ($366 million).

DLA Piper partner Ross McKean, who specialises in cybersecurity and data protection, suggested fines have been low relative to “potential maximum fines” of €20 million ($22.2 million) or 4% of annual global turnover, “indicating that we are still in the early days of enforcement.

“We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”

Patrick Van Eecke, chair of DLA Piper’s international data protection practice, said: “Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question.”

YOU MIGHT ALSO LIKE CCPA the ‘first of many’ state-level US privacy laws on the horizon