Luxembourg has topped a list of European states issuing data protection fines, accounting for almost three quarters of all penalties issued in the latest quarter.
According to data compiled by research firm Finbold, the amount and size of fines issued for violations of the General Data Protection Regulation (GDPR) across Europe grew astronomically in Q3 of this year, falling just short of €1bn (€984.47m).
This was almost 20 times higher than the fines for the previous two quarters combined (€50.26m). The fines for Q3 were also three times higher than the €306.3m imposed in all of 2020.
Two specific fines, handed to Amazon and WhatsApp respectively, were responsible for almost all of the Q3 figures. On 16 July, Amazon Europe Core was fined €746m and asked to change the way it processes consumers’ data.
The complaint was originally brought by the French privacy rights group back in 2018, which contended that Amazon’s advertising practices are not based on free consent. However, under EU law, a company can choose to defend the case in any of the EU states in which it operates. And in this case, Amazon selected Luxembourg and its Data Protection Authority (DPA) to handle the investigation.
The original fine from the Irish DPC was set at between €30m and €50m, however this was challenged by other European regulators, which referred the case to the European Data Protection Board, which issued a heavier fine.
Prior to these two cases, the largest fine for a GDPR breach within the EU was the €50m penalty imposed on Google back in 2019 over its advertising practices.
While the Amazon and WhatsApp cases do skew the statistics for Q3 fines, they also highlight two very important trends as regards data protection enforcement within the EU. Firstly, the size of penalties is going up. It is only three years since the GDPR came into effect.
Secondly, the fact that companies can choose which EU state’s DPA handles an investigation may lead to a concentration of cases in states like Luxembourg, where many companies choose to base their European headquarters. And, as in the case of the WhatsApp case, other national regulators may get involved if they do not feel the fine handed down by the investigating DPA is sufficiently punitive.
Also, according to the research report issued by Finbold, the pandemic caused regulators to take a more lenient stance in 2020. “The period saw businesses undergo financial hardships. Therefore, it can be assumed that the high fines in 2021 indicate that the cushion emanating from the pandemic is no longer applicable as most countries resume normal economic activities amid the vaccination campaigns,” states the report.