A fuller picture of data breach activity is beginning to develop in the European Union, where authorities have logged more than 59,000 reports of personal data breaches since the General Data Protection Regulation took effect about eight months ago, according to a DLA Piper survey.
The report found that 65 percent of the breach notifications made between May 25, 2018 and Jan. 28 originated from the Netherlands, Germany and the U.K.—the three countries that had the highest number of reported breaches with 15,400, 12,600 and 10,600, respectively.
“One of the reasons, we think, is that because of the GDPR legal system … you typically notify in the country where you’ve got your European HQ,” Patrick Van Eecke, a DLA Piper partner in Brussels, said Monday in a phone interview.
He added the Netherlands is a popular headquarters location for data-focused companies, which could further explain why the country had so many breach reports. Also, the Netherlands was the only country in the EU that had a pre-GDPR data breach notification requirement, according to Van Eecke.
While data regulators in the Netherlands and a few other countries have experience processing and investigating breach notifications, many others have been struggling with their new responsibilities, according to Van Eecke. In helping to compile the survey, he found that data regulators throughout the EU are swamped in backlogs of breach reports.
Many companies are inundating authorities with reports because they’re erring on the side of caution and reporting relatively minor incidents, including lost thumb drives, to avoid potential sanctions for violating GDPR notification requirements, Van Eecke said.
The GDPR requires companies and other data collectors to notify regulators whenever they experience a breach that has a likely risk of harming users. Notification must typically occur within 72 hours of a company becoming aware of an incident.
Failure to comply with the GDPR notification requirements can lead to maximum fines of 10 million euros, equivalent to more than $11.2 million, or up to 2 percent of a company’s total worldwide revenue from the previous financial year, whichever is greater.
While a few countries have published breach notification reports, the majority of EU countries have yet to make the data publicly available or easily accessible.
“That was the main reason we wanted to come up with a survey,” Van Eecke said. “For at least 60 percent of the countries, we couldn’t find any publicly available numbers. We really had to call them and push them.”
He stressed that the countries in question “don’t want to hide” their breach reports and are simply dealing with a steep learning curve. Several of the countries contacted as part of the survey said they planned to release breach reports, but needed more time to do so.
“It’s ended up being way more than the authorities can manage,” said Jim Halpert, a DLA Piper partner in Washington, D.C., who represents companies on a broad range of data management issues.
“The main takeaway,” he added, “is that this is still early days, but there’s a real obligation in Europe [to comply with the GDPR] and it’s going to be important to review and upgrade your security programs in Europe for personal data.”
The 59,000 reported breaches highlighted in the survey ranged from minor incidents, “such as errant emails sent to the wrong recipient, to major cyberhacks affecting millions of individuals and making front-page headlines,” the report stated.
So far, 91 fines have been handed out for GDPR-related infractions, though not all of the violations were the result of data breaches, according to the survey. For instance, French regulators slapped Google with a more than $56 million fine Jan. 21 under the GDPR for allegedly obtaining users’ data without their permission for advertising purposes. Google is appealing the fine.
In Germany, authorities levied 63 GDPR fines, including sanctions of more than $22,500 against social media company Knuddels, a chat platform that allegedly failed to protect users’ personal data, opening the door for a breach that exposed more than 800,000 email addresses and 1.8 million usernames and passwords.
The Knuddels case was noteworthy, in part, because under Germany’s Federal Data Protection Act the details that a company reveals in a breach notification cannot be used as evidence to support an administrative fine against that same company, unless it consents.
But German authorities apparently set the federal laws aside and used Knuddels’ breach report—without the company’s consent—as a basis for the fine, according to the survey. Like Google, Knuddels is appealing the fine.
“Germany stands out because of its stringent approach when enforcing and applying the GDPR,” Van Eecke said. “You need to be very well prepared if you go into a discussion with one of the German data protection authorities. They know what they’re talking about and they’re not afraid of sanctioning.”
So far, most of the GDPR sanctions, aside from the fine against Google, have been relatively low.
In Austria, for example, a company running a sports betting café was fined about $5,400 for allegedly operating an unlawful CCTV system that recorded part of a public sidewalks. And Cyprus reported four fines totaling about $12,900.
But fines could soon rise alongside increased enforcement activity. The survey predicted that “2019 will see more fines for tens and potentially hundreds of millions of euros, as regulators deal with the backlog of GDPR data breach notifications.”