The study

Privacy, record number of sanctions from Garantees across Europe in 2023

The analysis of the international study by Dla Piper: +14% in amounts demanded from companies. But weighing in is Ireland's maximum fine in Meta. Italy is in fourth place

3' min read

3' min read

2023 was a record year for sanctions by the European Privacy Authorities. In a single year, the authorities handed out EUR 1.78 billion in fines, 14 per cent more than in 2022. But driving the result was above all the Irish Data Protection Authority's maximum fine imposed on Meta in May, for violations on the transfer of personal data to third countries (specifically, the United States), the highest ever awarded so far for compliance with the European privacy regulation, the Gdpr, in force since May 2018. Drawing up the balance of a year of decisions by the European national data protection authorities is the international law firm Dla Piper, in a report analysing the trend of the year that has just ended, under two profiles: that of sanctions, precisely, and that of the so-called data breaches, i.e. the 'thefts' and, in general, the violations of personal data reported to the Guarantors by companies, public administrations and professionals.

The 2023 budget

The maxi sanction at Meta by the Irish Privacy Guarantor has set a double record: that of the maximum total amount of sanctions imposed in one year by the Authorities (1.78 billion against 1.56 billion in 2022) and, on the other hand, that of the single highest amount of sanctions imposed in these five years of the EU Regulation. But on closer inspection - as Dla Piper's experts point out - 2023 was not such an exceptional year on the privacy front. The breakthrough year in fact remains 2022 when sanctions increased by 50 per cent compared to the previous 12 months. The actual setback is largely due to the fact that many of the sanctions decided by the Supervisors in 2023 were then reduced - or even cancelled - in court. The fines of the Garanti in execution of binding opinions and decisions of the EU Data Protection Authority (the European Data Protection Board) also decreased. With the 2023 amounts, the total of fines imposed as a result of the EU Regulation across Europe has reached EUR 4.68 billion from 2018 to date.

Loading...

Italy

Italy ranks fourth in the 'top ten' of EU countries with the most fines, with more than 145m euros demanded from companies from 2018 to date. Preceding it are Ireland, Luxembourg and France. The latter with a clear gap: 546 million in fines imposed.

Ireland's record

.

This special ranking of the most 'rigorous' countries in terms of privacy is dominated by Ireland: more than 2.2 billion fines for GDPR violations requested over the past five years, half of which were last year alone with Meta. Of course, the figure is influenced by the fact that the country is the European outpost of almost all big tech. And these are the companies that are most 'sensitive' on the issue of personal data protection. Moreover, the node addressed by Ireland with the maxi fine to Meta is far from being a closed chapter: the company that owns Facebook and Instagram must answer for the illegal transfer of data from Europe to the United States, and along with the fine came an order to cease this transfer in a short time. But the issue is broader and concerns all companies that handle data straddling the two continents, following an EU Court ruling that has overturned the rules that governed this exchange. Institutions and Authorities are still working since then to find an agreement that will put an end to the legal uncertainties on the issue.

The data breach

.

In 2023, an average of 335 data breaches per day were reported in Europe. About the same number as in 2022, when there were 328. Also last year, as in the previous year, the highest number of attacks is reported in Germany: over 32 thousand reports. Italy ranks about halfway down the list (it is twelfth) but with a clear gap from the first: only 1,688 cases were reported last year. As Dla Piper's study points out, behind these large differences there could also be different interpretations of the Regulation that requires all data violations to be reported, except those that do not constitute a risk for the rights and freedoms of the individual. A rule that, since it does not set specific limits or thresholds, leaves some uncertainty anchje among those who must decide whether or not to report a data breach.

 

Copyright reserved ©
Loading...

Brand connect

Loading...

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti