The billion Euro year - did fines under GDPR really sky-rocket in 2021?

At high school I had a wonderful history teacher. He was passionate about his subject and was a brilliant communicator. I learned a lot in his class and still enjoy history today. One of the most important things he ever taught me was, however, nothing to do with history but statistics. I thought of him today when I read that fines issued under GDPR leapt from €171 million in 2020 to over €1 billion in 2021. 

That is a staggering leap! What has caused it? Have the DPAs ramped up capacity and gone enforcement crazy? Have organisations thrown in the compliance towel and decided to ride fast and loose with personal data?    

Thankfully, it appears not.  DPAs, however, have continued to increase the number of fines issued, with 412 reportedly issued in 2021. The level of fines has also been increasing year-on-year, but it is not as as radical as the figures suggest. 

In 2021, over €970 million (97% of the total) was made up of just two fines: Amazon Europe Core S.à.r.l was fined of €746 million and WhatsApp Ireland Ltd. €225 million. If these two outliers are taken out, then the figures are much more in-line with previous years and the pattern of a steady but increasing number of fines being issued and higher amounts being levied when the fines are issued.

The big fines are important to show that where necessary DPAs are willing to use the powers given to them under the GDPR to their fullest extent, so no organisation should take GDPR compliance lightly. In fact, this may be a timely reminder for some (and a good hook for the attention of others, especially senior leadership) that now may be a good time for a GDPR compliance review. I am sure no one wants to be part of this fining statistic next year.

And as for my history teacher's pearl of wisdom: "Statistics are like swimwear. What they reveal is interesting, what they hide is essential."