John Magee

Ireland has issued GDPR fines worth €226.05 million since 25 May 2018, now second only to Luxembourg with €746.3 million. Both jurisdictions leapt up the table after announcing record-breaking GDPR fines last year.

Luxembourg imposed a €746 million fine last year against a US online retailer and e-commerce platform. The fine is not publicly available and is subject to an ongoing appeal.

Nearly €1.1 billion in fines were imposed in 2021, a 594 per cent year-on-year increase compared to €158.5 million during 2020.

Some 6,802 data breaches were reported to the Irish Data Protection Commission in 2021, the sixth highest level of breach notifications across Europe and fourth highest on a per capita basis.

The growth of breach notifications has continued with an eight per cent increase from 2020’s average of 331 notifications per day to 356 in 2021 and more than 130,000 personal data breaches notified in aggregate since 28 January 2021.

Weighting the results against country populations, the Netherlands takes pole position this year ahead of Liechtenstein, Denmark and Ireland, with 151, 136, 131 and 130 breach notifications per 100,000 people respectively. Croatia, the Czech Republic and Greece reported the fewest number of breach notifications per capita since 28 January 2021.

John Magee, partner and head of data protection and information security at DLA Piper Ireland, said: “It is four years since the implementation of GDPR and we are now seeing significant fines imposed for a wide range of infringements of Europe’s rigorous data protection laws.

“This year, regulators have issued record fines surpassing €1 billion and Ireland now ranks second overall for total fines to date, demonstrating the significant position and influence of the Data Protection Commission (DPC) in the EU.

“Given that Ireland is home to some of the world’s largest-data businesses there is no doubt that the DPC will continue to play a central role in the enforcement of GDPR in Europe.”

While the increase in fines may be significant, Mr Magee added that the Schrems II judgment continues to be the top data protection compliance challenge for many organisations caught by GDPR.

He said: “The Schrems II judgment has effectively shifted the problem and burden of a fundamental conflict of laws from the politicians and lawmakers to individual data exporters and importers. Meeting the requirements of Schrems II is a challenge even for the most sophisticated and well-resourced organisations.”