menu

GDPR in Numbers

Statistics collected from 13 EU countries show that 8 months into the GDPR, the new data protection law is alive and kicking. DPAs have received thousands of complaints and breach notifications, and a first large fine has already been imposed.
No. 2, 28 Jan 2019 Issue

The numbers confirms that the GDPR – eight months since its entry into application – is not merely a set of general principles and empty promises but a practical and widely used tool for the protection of people’s right to data protection.

Countries covered in this edition

For this edition, we were only able to obtain comprehensive numbers from 13 countries, we expect to continue expand our coverage of reporting going forward. We were however able to obtain data from new countries compared to the previous edition, including Greece, Cyprus, Belgium and Slovenia. We were however not able to get new information from Ireland and the UK which were covered in the first edition.

The charts below present statistical information provided by Data Protection Authorities from 13 European countries: Greece, Cyprus, France, Germany, Poland, Romania, Sweden, Slovakia, Slovenia, Belgium, Italy, Portugal and, the Netherlands. The reference dates for the statistics provided by the DPAs vary from 25 November to 21 January (see details below for individual countries).

We are presenting below statistical data related to the following categories:

  1. the total number of complaints received, and
  2. the total number of data breach notifications received.

We are also including a series of miscellaneous by important numbers for the evaluation of the state of play of the implementation of the GDPR.

Getting the data – what are the challenges?

While the GDPRToday is a still a young publication, with our eight month of experience trying to collect data from data protection authorities, we can already see how complex of a task this can be. First, we do not have partners in every countries helping us gathering the data. Then, DPAs are not providing us with the data in an harmonised manner. For instance, not every authority is counting “received complaints” the same way, which may create important disparities in the number provided. We would recommend the European Data Protection Board to develop criteria for the reporting of these numbers and to push for a mechanism for the regular disclosure of these numbers throughout the year, beyond the yearly mandatory reporting obligations.

The numbers received show that a significant numbers of complaints have been filed across the EU. Compared with the data from the first edition of the GDPRToday, the numbers are consistent across the first eight months and DPA are continuing to receive complaints regularly.

Putting the number in context

Looking at the raw data, France is the country where the most complaints have been filed so far. However, if we compare the number of complaints with the number of inhabitants per country, it is in the Netherlands where most complaint have been filed proportionally with 9661 complaints for more than 17 millions inhabitants.

In addition to national complaints, as of November 25, 345 cross-borders complaints had been filed with data protection authorities, thus requiring the use of the one-stop-shop and cooperation mechanism foreseen under the GDPR. According to data published by the EU Commission, a total of 95 180 complaints have been introduced across the EU between 25 May 2018 until 28 January 2019.

Overall, all data protection are reporting an increase in the number of complaint received post GDPR. In France, the CNIL has received 34% more complaints compared to the previous year, which was already a record year. Similarly in Belgium, the new data protection has received nearly double the number complaints that in 2017. In the meantime, the resources and number of staff of data protection authorities has largely remained the same in all member states. This means that many authorities do not necessarily have the sufficient means to adequately respond to this growing number of requests and ensure that the data protection rights of EU data subjects are protected and enforced. We urge the EU Commission and EU member states to provide the authorities with sufficient funding and resources to implement the GDPR.

An increasingly large number of data breach notifications have been submitted across the last 8 month suggesting that businesses and other organisations treat seriously the obligation imposed by Article 33 of the GDPR. Many DPAs have indicated a sharp increase in the number of data breach notifications when compared to the same period last year. According to data published by the EU Commission, a total of 41 502 data breach notifications have been submitted across the EU between 25 May 2018 until 28 January 2019. This, of course, does not mean that more breaches are happening now, but that they are now being reported more often. This is a good change for users, who have the opportunity to be better informed about how to protect their information that may have been accessed by an unauthorised party. In the long run, it will also help strengthen data security by providing important information on standards.

The number of breach notification reported by the Dutch authority is particularly interesting as it significantly higher than any other authority in the EU from which we obtained data. It seems like the Dutch authorities received almost 10 times more notifications than the French, German or Polish authorities for instance. To better explain these differences, it would be helpful to get more insight on how authorities are counting these notifications and get more insight into the sectors which are reporting the most breaches. One element to consider that could at least partially explain this significant difference in the number of breaches reported in the Netherlands compared to other EU countries is that the Netherlands have had a data breach notification obligation since 2016. As a result, organisations may have already been more accustomed to notifying breaches to the DPA.

What’s next?

As the GDPR is getting closer to its one year mark, we can expect these number to continue grow. A key number of this month was: 50 millions, the amount of the fine imposed on Google by the French authority for violating the GDPR. This the first large fine and with more complaints being filed, we can expect more of these to come. GDPR Today will be collecting statistical information from DPAs in bi-monthly rounds – Stay up to date!

 

DETAILS CONCERNING DATA COLLECTION IN INDIVIDUAL COUNTRIES

Belgium – 25 May – 25 November; figures were gathered by Access Now

Cyprus – 25 May- 25 November; figures were gathered by Homo Digitalis

France – 25 May – 25 November; figures were gathered by Access Now

Germany –  25 May – 25 November (estimated for some Landers); figures were gathered by Panoptykon Foundation

Greece – 25 May – 20 December; figures were gathered by Homo Digitalis

Italy – 25 May – 25 November (overlap for complaint data from August may result in slightly inaccurate result); figures gathered by Hermes Center for Transparency and Digital Human Rights

Poland – 25 May – 25 November; figures were gathered by Panoptykon Foundation

Portugal – 25 May – 31 October; figures were gathered by D3 -Defensa dos Direitos Digitais

Romania – 25 May – 25 November; figures were gathered by Association for Technology and Internet

Slovakia – 25 May – 25 November; figures were gathered by Erik Láštic, Comenius University, Bratislava, Slovakia, PODATA project

Slovenia – 25 May – 31 December; figures were gathered by Jure Trbič, Pirate Party

Sweden –  25 May – 21 January (with a 7 day overlap between 2 data requests which may result in a slight inaccuracy in the total number provided); figures were gathered by Data Skydd

The Netherlands – 25 May – 25 November; figures were gathered by Bits of Freedom

Complaints

The number of complaints submitted to the DPAs by individuals. Lawsuits filed with courts are not included.

Breach Notifications

The number of data breach notifications submitted to Data Protection Authorities by businesses or other organisations, pursuant to Article 33 of the GDPR.