The numbers show that the GDPR – with only five months since its entry into effect – is not merely a set of general principles and empty promises but a practical and widely used tool for the protection of people’s privacy. While we were only able to obtain comprehensive numbers from eight countries, we expect to expand our coverage of reporting going forward.
The charts below present statistical information provided by Data Protection Authorities from eight European countries: France, Germany, Ireland, Italy, Poland, Romania, Sweden, and the United Kingdom. The reference dates for the statistics provided by the DPAs vary from 24 August to 28 September (see details below for individual countries).
Despite our best efforts, the data from the different countries are not entirely comparable. Some DPAs regularly publish detailed statistics online (e.g. France, UK), or respond quickly to FOI requests (e.g. Poland). Some have made it clear that regular statistical updates are too burdensome in the light of the workload they are facing. Last but not least, some DPAs have not replied to our requests at all. This indicates that for effective Europe-wide monitoring of the ongoing implementation of the GDPR, a certain amount of harmonisation is necessary for making statistical information available.
The data from two countries is not sufficiently accurate: the statistics from Germany include only 5 out of the 16 German states; while data from the British ICO includes not only complaints and breach notifications filed under the GDPR, but also actions taken after 25 May 2018 under the previous Data Protection Act of 1998.
However, even this incomplete data gives us a valuable insight into the functioning of the GDPR.
We have asked DPAs for statistical data related to four categories:
- the total number of complaints,
- the total number of data breach notifications,
- the number of imposed fines, including their amounts,
- the number of codes of conduct (both submitted and approved).
Even taking into account the overestimated number of complaints in the UK, it is safe to say that people have rushed to take matters into their own hands, resulting in thousands of complaints being filed with Data Protection Authorities. The European Data Protection Board claims that more than 42,230 complaints have been lodged across Europe. The numbers may be even higher when we take into consideration that the GDPR also allows citizens to file lawsuits directly with courts.
A large number of data breach notifications (nearly 13,000 overall) suggests that businesses and other organisations treat seriously the obligation imposed by Article 33 of the GDPR. Many DPAs have indicated a sharp increase in the number of data breach notifications when compared to the same period last year. This, of course, does not mean that more breaches are happening now, but that they are now being reported more often. This is a good change for users, who have the opportunity to be better informed about how to protect their information that may have been accessed by an unauthorised party. In the long run, it will also help strengthen data security by providing important information on standards. According to information provided by the British ICO, the highest number of data breach notifications concerned the disclosure of data (nearly 4,000 cases). We do not have any information about the categories of breaches from other countries.
According to the collected data, fines have so far been imposed only six times which makes sense given that the law only came into effect a few months ago and those investigations must be carried out carefully. All of the fines imposed so far come from the DPA in the German state of North Rhine-Westphalia and amount to €2350 (one fine of €600, two fines of €500, and three fines of €250). We do not know whether these fines were imposed as a result of individual complaints or proceedings initiated by data breach notifications. What is evident is that the media-driven fear of gigantic fines amounting to €20 million is – at least for now – unfounded. Assessing the penalties for the different categories of data breaches is a hard nut to crack. Only time will tell how DPAs handle this issue and whether Europe-wide standards emerge for the amounts of the fines.
Industry associations are allowed to prepare codes of conduct which are supposed to help apply the GDPR in the various sectors of the economy. Draft codes must be submitted for the approval of a competent Data Protection Authority. As of 25 September, only six draft codes have been submitted: four in Romania, one in Poland, and one in Germany. None of these has yet been approved. Given that the European Data Protection Board is in the process of drafting guidelines concerning codes of conduct and monitoring bodies, we expect more codes to emerge in the coming months.
The GDPR is only just getting up steam. The first five months have not yet brought us the much-feared (or awaited, depending on your point of view) million euro fines, or any major standard-setting decisions or judgements. The latter is inevitably approaching with crucial complaints being filed against the biggest tech companies such as Facebook and Google. GDPR Today will be collecting statistical information from DPAs in bi-monthly rounds – Stay up to date!
DETAILS CONCERNING DATA COLLECTION IN INDIVIDUAL COUNTRIES
France – 25 September (except breach notifications: 17 October); figures were gathered by Access Now
Germany – 24 August (Bremen)/ 31 August (Berlin) / 10 September (Brandenburg) / 20 September (North Rhine-Westphalia) / 25 September (Saxony); figures were gathered by Panoptykon Foundation
Italy – 25 September; figures were gathered by Hermes Center for Transparency and Digital Human Rights
Poland – 25 September; figures were gathered by Panoptykon Foundation
Romania – 25 August; figures were gathered by Association for Technology and Internet
Sweden – figures were gathered by Data Skydd
UK – 25 September; figures were gathered by Open Rights Group