New data covering the first three years of GDPR enforcement suggests that some European data protection authorities are struggling to make their fines stick – and that the one-stop-shop’s centre of gravity may be shifting away from Ireland.
The European Data Protection Board (EDPB) released figures last week that compile enforcement data submitted by Europe’s GDPR regulators.
The EDPB released similar data twice in 2020. The first set highlighted the development of the bloc’s cross-border enforcement, while the second provided more insight into the cases that had actually been completed.
The new data is more wide-ranging, catching all cross-border and national enforcement that took place between 25 May 2018 and 31 May 2021. It showcases not only the number of enforcement cases that regulators have picked up, but also the number of them that led to fines and other penalties – and also shows that appeal courts are regularly altering or striking down some regulators’ fines.
Enforcement
Germany’s multiple data protection watchdogs started by far the largest number of GDPR investigations from 2018 to 2020. Those numbers may be even higher in reality, as records were unavailable for some German regulators.
Those figures are construed broadly: the EDPB says these numbers catch each time a regulator is asked about compliance, including “the handling of complaints, tips and signals regarding possible non-compliance and cases for which no formal investigation is launched.” Regulators may also count this differently.
Five months into 2021, it looks like German regulators will continue to leave the rest of Europe in their wake. As of 31 May, they handled 17,600 cases. Ireland was a distant second, with a still huge 7,400 cases – having overtaken the Netherlands, which is now third.
Germany’s dominance here is unsurprising. A privacy-centric culture is backed by a combined regulatory budget that outstrips that of any other data protection authority in Europe.
Resourcing
The EDPB also asked regulators whether they believed they were sufficiently resourced. The answer, overwhelmingly, was no. Only Austria, Hungary, Lithuania, Luxembourg and Cyprus believed that they had enough cash to do their jobs properly. There’s a similar squeeze on staffing: Austria, Hungary, Lithuania and Cyprus were the only regulators to report that they needed no more human resources (Luxembourg, despite being apparently satisfied with its budget, still appears to believe it does not have enough staff).
Complaints about resourcing are nothing new: regulators and European politicians have long said the GDPR’s enforcement works on a shoestring. Post-Schrems II, regulators now have more work than ever.
The good news is that most regulators had their budgets increased in 2021.
Austria’s was boosted by a full 50%, from €2.8 million to €4.2 million. Italy and Germany also received generous increases, with the Garante increasing its budget 18% from €30.1 million to €35.6 million, and Germany’s regulators going up 15% from €82.6 to €94.8 million (although many of those watchdogs also handle freedom of information matters, meaning the budget dedicated to GDPR enforcement may be smaller).
Other regulators suffered budget cuts in 2021.
Hungary was particularly badly hit, having had to make do with a 19% reduction; Slovakia and Greece lost 11% and 9% respectively. Luxembourg, which reports being happy with its budget, lost 6%.
Fines and appeals
Against that backdrop, many regulators are turning a serious number of cases into penalties. According to the EDPB data, just over 2,200 cases resulted in fines – with Germany once again comfortably in the lead.
Spain and Italy also performed strongly. Major cross-border watchdogs Ireland and Luxembourg were right at the bottom of the table, having handed down only seven and six fines respectively (Luxembourg, in its defence, issued the highest GDPR fine to date in July 2021).
Very few of those penalties are significant. The GDPR’s potential 4% of global turnover penalties are eye-catching, but cases rarely get anywhere near that level.
Appeal losses
Some of those numbers should cause concern for regulators. The EDPB asked regulators to provide statistics for the number of their fining cases that were appealed – and of those, which were overturned, modified, upheld, or still pending.
Spain is a notoriously aggressive enforcer, issuing multiple fines each month. Most of those fines are small, although a handful now push into million-euro territory. But it looks like companies are systematically taking their chances in court: of 279 fines, 266 – 95% – are subject to appeals. Just over a quarter of those appeals led to a full annulment, with a further 8% adjusted in some way. The annulments represent 24% of Spain's fining decisions overall.
Those are some of the worst loss rates in Europe. But Belgium tops the table: 40% of Belgium’s fines were challenged – and 66% of those challenges led to a full annulment. (Estonia’s cancellation rate is currently 100%, but that’s based on the outcome of a single appeal, which was filed against one of 33 fining decisions.)
Germany’s busy regulators appear to have done well. Of 606 appeals, only 8 were overturned and 15 were modified. But at least two of those rulings were significant, and affected two of the country’s three highest fines. A Berlin court struck down the Deutsche Wohnen €14.5 million fine in early 2021, and a Bonn court slashed a €9.5 million penalty against 1&1 to €900,000 in late 2020.
It’s worth noting that at least some of these numbers include pre-GDPR investigations. Bulgaria and Italy’s appeal figures outstripped those of its GDPR fining cases; both told GDR that their appeal statistics include pre-GDPR cases.
Some enforcers are excluded as they did not provide appeal results to the EDPB.
Cross-border investigations
The vast majority of those fine cases are national; cross-border cases run through the one-stop-shop are often more significant. 1,615 of those were handled by Ireland, where many of the world’s largest tech companies have established themselves. The Irish regulator is widely perceived as Europe’s busiest cross-border enforcer. It’s certainly the most controversial: activists and other regulators have repeatedly criticised its investigative strategies.
In mid-2020, Ireland had the largest caseload as a lead supervisory authority – suggesting that it was dealing with a large caseload of cross-border cases that involved a company established within the country.
A year later, that picture has changed.
Germany is now on top, handling 183 cases as a lead enforcer to Ireland's 164.
In a year, Ireland’s lead regulatory caseload has increased from 127 to 164. Germany’s has shot up to an even greater extent – as of midway through 2020, it had handled only 92 such investigations.
The figures suggest that the one-stop-shop’s centre of gravity may be shifting away from Ireland. It remains to be seen whether a significant number of those German investigations are against significant targets, given that Ireland hosts the likes of Google, TikTok, Twitter, Apple, and Facebook and its subsidiaries WhatsApp and Instagram.
As of August 2021, only one investigation run by Ireland as a lead regulator has resulted in an infringement decision. At least one more is approaching a final decision.
With Germany taking on more of those cases, there may soon be an uptick in cross-border case completion. Mapping the 2020 and 2021 numbers also shows which other authorities have significantly increased their cross-border case load.