Luxembourg emerges as Europe’s sanctions leader on data breaches

Which European countries impose the most or the largest fines for data breaches? After last month’s record fine for Amazon, EURACTIV takes a closer look.

The Luxembourgish data protection authority (DPA) struck hard last month when fining Amazon a record €746 million for multiple breaches of the EU General Data Protection Regulation (GDPR).

Before that, the biggest sanction (€50m) over GDPR breaches had been imposed on Google by the French DPA (CNIL) for not letting its users know what type of data the Internet giant possesses.

In December however, the CNIL sanctioned both Google and Amazon with €100m and a €35m fines over cookie policy. Although related to data processing, the French DPA ruled that it fell under the “ePrivacy” directive and deemed itself “materially competent”. These two, major fines are therefore being left out of our comparison as they do not strictly relate to GDPR issues.

Luxembourg has now become the biggest GDPR fine giver in Europe, with a total amount of €746m imposed, followed by Italy (€84m) and France (€57m), according to data curated by Privacy Affairs and shared with EURACTIV.

The total of fines over GDPR – which entered into force in May 2018 – now amounts to more than €1bn.

The Luxembourgish DPA is not, however, among the front-runners when it comes to the number of fines, with 11 given in the past three years.

Spain, Italy and Romania are leading with 255, 76 and 61 sanctions imposed each.

Many of the decisions are based on Article 5 of GDPR which sets out a framework for the processing of data in the bloc.

“One-stop shop” mechanism

The GDPR applies to every member state as well as the European Economic Area countries (Iceland, Lichtenstein, and Norway). As data is in most cases processed in different countries, the EU law introduced the so-called “one-stop shop” mechanism, which ensures cooperation between DPAs.

Most importantly, the provisions state that the competent authority for leading cross-border cases depends on where the data processing organisation has its legal basis. In Amazon’s case, the Luxembourgish privacy watchdog leads the probe as Amazon’s European headquarters are in the Grand Duchy.

In June, however, the EU Court of Justice ruled that national data protection authorities have the power to launch GDPR infringement proceedings against firms registered in another European Union member state, in exceptional circumstances of urgency or where the impact is limited to data subjects within their national or local jurisdiction.

The ruling came after MEPs called for an infringement procedure against Ireland for not being able to keep up with the flow of privacy complaints against the Big Tech companies that fall under the jurisdiction of the Irish Data Protection Commissioner (DPC), which include online advertising giants such as Facebook and Google.

“We have seen some of those resources come on stream, and there have been improvements, but we would argue that there is scope for the DPC to see its resources increased again, given the companies it’s expected to regulate have almost unlimited funds to fight and contest cases”, Irish leftist MEP Clare Daly told EURACTIV at the time.

The data shows that Ireland has imposed a total of six fines, worth €790,000.

Money and resources are often pointed out as one way to support and improve the “one-stop shop” system which has set small countries against multinational giants.

In Ireland for instance, the DPA’s budget was almost a thousand times lower than Google’s in 2019, according to Access Now’s report on the implementation of GDPR.

[Edited by Luca Bertuzzi and Benjamin Fox]


About the author

Related Post

Leave a comment

Your email address will not be published. Required fields are marked *