According to its latest annual survey of GDPR fines and data breaches, a total of 6,615 data breaches were reported to Ireland’s Data Protection Commission in the past 12 months, the sixth highest level of breach notifications across Europe and third highest on a per capita basis.

Across the 27 EU member states and the UK, Norway, Iceland and Liechtenstein, a total of €272.5 million in fines have been imposed for a wide range of GDPR infringements.

Ireland has imposed €715,000 in fines under the GDPR since it came into effect in May 2018, ranking it 14th. Italy’s regulator tops the rankings for aggregate fines, having imposed more than €69.3 million. Germany and France came second and third with aggregate fines of €69.1 million and €54.4 million respectively, followed by the UK in fourth position with €44.2 million.

In aggregate there have been more than 281,000 data breach notifications since the application of GDPR with Germany (77,747), the Netherlands (66,527) and the UK (30,536) topping the table for the number of data breaches notified to regulators. Ireland sits in fifth position with 17,131 breach notifications since 25 May 2018.

France and Italy, countries with populations over 67 million and 62 million people respectively, only recorded 5,389 and 3,460 data breach notifications for the same period, which DLA Piper said illustrates the cultural differences in approach to breach notification.

The aggregate daily rate of breach notifications in Europe experienced double-digit growth for the second year running with 331 notifications per day since 28 January 2020, an 19 per cent increase compared to 278 breach notifications per day for the previous year.

Weighting the results against country populations, Ireland reported 127.8 breaches per 100,000 people, down from 132.52 per 100,000 people last year. This ranks the country third this year compared to second last year. Denmark takes pole position this year ahead of the Netherlands with 155.6 and 150 reported breaches per 100,000 people respectively. Greece, Italy and Croatia reported the fewest number of breaches per capita since 28 January 2020.

The highest GDPR fine to date remains the €50 million fine imposed by the French data protection regulator on Google for alleged infringements of the transparency principle and lack of valid consent.

Commenting on the report, Ross McKean, chair of DLA Piper’s UK data protection and security group, said: “Fines and breach notifications continue their double-digit annual growth and European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead.

“However, we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high-profile fines being reduced due to financial hardship. During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other ‘third countries’ as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”

John Magee, IP and technology partner at DLA Piper Ireland, said: “Regulators have been testing the limits of their powers this year issuing fines for a wide variety of infringements of Europe’s tough data protection laws. But they certainly haven’t had things all their own way with some notable successful appeals and large reductions in proposed fines. Given the large sums involved and the risk of follow-on claims for compensation we expect to see the trend of more appeals and more robust defences of enforcement action to continue.

“Closer to home, the Data Protection Commission has flexed its muscles by issuing fines against domestic organisations as well as a large technology company. As lead regulator for many international businesses, and with a large volume of inquiries underway, the DPC is likely to issue further sanctions as 2021 progresses.”