59,000 Data Breaches in EU Since GDPR Took Effect: Report
New survey from DLA Piper shows that authorities in the European Union logged more than 59,000 reports of personal data breaches since the General Data Protection Regulation took effect about eight months ago. But the lawyers behind the survey say many EU countries are still digging out from beneath a backlog of breach reports, which likely means more enforcement actions and fines on the horizon.
February 11, 2019 at 05:13 PM
6 minute read
A fuller picture of data breach activity is beginning to develop in the European Union, where authorities have logged more than 59,000 reports of personal data breaches since the General Data Protection Regulation took effect about eight months ago, according to a DLA Piper survey.
The report found that 65 percent of the breach notifications made between May 25, 2018 and Jan. 28 originated from the Netherlands, Germany and the U.K.—the three countries that had the highest number of reported breaches with 15,400, 12,600 and 10,600, respectively.
“One of the reasons, we think, is that because of the GDPR legal system … you typically notify in the country where you've got your European HQ,” Patrick Van Eecke, a DLA Piper partner in Brussels, said Monday in a phone interview.
He added the Netherlands is a popular headquarters location for data-focused companies, which could further explain why the country had so many breach reports. Also, the Netherlands was the only country in the EU that had a pre-GDPR data breach notification requirement, according to Van Eecke.
While data regulators in the Netherlands and a few other countries have experience processing and investigating breach notifications, many others have been struggling with their new responsibilities, according to Van Eecke. In helping to compile the survey, he found that data regulators throughout the EU are swamped in backlogs of breach reports.
|
➤➤ Want to read more about how new tech is challenging old laws and changing the legal profession? Sign up for What's Next, a weekly email briefing on the future of law.
Many companies are inundating authorities with reports because they're erring on the side of caution and reporting relatively minor incidents, including lost thumb drives, to avoid potential sanctions for violating GDPR notification requirements, Van Eecke said.
The GDPR requires companies and other data collectors to notify regulators whenever they experience a breach that has a likely risk of harming users. Notification must typically occur within 72 hours of a company becoming aware of an incident.
Failure to comply with the GDPR notification requirements can lead to maximum fines of 10 million euros, equivalent to more than $11.2 million, or up to 2 percent of a company's total worldwide revenue from the previous financial year, whichever is greater.
While a few countries have published breach notification reports, the majority of EU countries have yet to make the data publicly available or easily accessible.
“That was the main reason we wanted to come up with a survey,” Van Eecke said. “For at least 60 percent of the countries, we couldn't find any publicly available numbers. We really had to call them and push them.”
He stressed that the countries in question “don't want to hide” their breach reports and are simply dealing with a steep learning curve. Several of the countries contacted as part of the survey said they planned to release breach reports, but needed more time to do so.
“It's ended up being way more than the authorities can manage,” said Jim Halpert, a DLA Piper partner in Washington, D.C., who represents companies on a broad range of data management issues.
“The main takeaway,” he added, “is that this is still early days, but there's a real obligation in Europe [to comply with the GDPR] and it's going to be important to review and upgrade your security programs in Europe for personal data.”
The 59,000 reported breaches highlighted in the survey ranged from minor incidents, “such as errant emails sent to the wrong recipient, to major cyberhacks affecting millions of individuals and making front-page headlines,” the report stated.
So far, 91 fines have been handed out for GDPR-related infractions, though not all of the violations were the result of data breaches, according to the survey. For instance, French regulators slapped Google with a more than $56 million fine Jan. 21 under the GDPR for allegedly obtaining users' data without their permission for advertising purposes. Google is appealing the fine.
In Germany, authorities levied 63 GDPR fines, including sanctions of more than $22,500 against social media company Knuddels, a chat platform that allegedly failed to protect users' personal data, opening the door for a breach that exposed more than 800,000 email addresses and 1.8 million usernames and passwords.
The Knuddels case was noteworthy, in part, because under Germany's Federal Data Protection Act the details that a company reveals in a breach notification cannot be used as evidence to support an administrative fine against that same company, unless it consents.
But German authorities apparently set the federal laws aside and used Knuddels' breach report—without the company's consent—as a basis for the fine, according to the survey. Like Google, Knuddels is appealing the fine.
“Germany stands out because of its stringent approach when enforcing and applying the GDPR,” Van Eecke said. “You need to be very well prepared if you go into a discussion with one of the German data protection authorities. They know what they're talking about and they're not afraid of sanctioning.”
So far, most of the GDPR sanctions, aside from the fine against Google, have been relatively low.
In Austria, for example, a company running a sports betting café was fined about $5,400 for allegedly operating an unlawful CCTV system that recorded part of a public sidewalks. And Cyprus reported four fines totaling about $12,900.
But fines could soon rise alongside increased enforcement activity. The survey predicted that “2019 will see more fines for tens and potentially hundreds of millions of euros, as regulators deal with the backlog of GDPR data breach notifications.”
Read More:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSoundCloud GC Takes Legal Reins of Condé Nast at Tumultuous Time
Visa CLO-Turned-Vice Chair Seeing Payoff From Expanded Role
Albertsons Gives Up on $25B Merger, Sues Kroger Seeking 'Billions of Dollars'
Trending Stories
- 1New Year’s Mandate: Respect Our Matrimonial Judges
- 2Examining New York Court Decisions on Website Accessibility Claims
- 3What to Expect in the Securities Enforcement Space in 2025
- 4Against All Odds—How to Try, and Win, High-Leverage Cases
- 5Evolving Legal Standards to Combat Disqualification of Arbitrators for Failing to Disclose Conflicts of Interest
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250