NGO noyb.at frustrated

Only 1.3 percent of GDPR cases end with fines

Some data protection authorities seem to impose far higher penalties than others.

(Bild: stock.adobe.com/Patrick Daxenbichler - stock.adobe.com)

The data protection NGO noyb is critical: although the General Data Protection Regulation (GDPR) 2018 introduced the possibility of imposing fines, on average only 1.3 percent of all cases before the EU data protection authorities result in a fine.

This was stated by the organization None Of Your Business (noyb, "Geht Dich Nichts An") of the Austrian data protection activist Max Schrems on the occasion of Data Protection Day on Tuesday. Noyb refers to statistics from the European Data Protection Board (EDPB).

The data protection experts consider fines to be the most effective means of persuading companies to comply with the law. Schrems explained in a press release: "The European data protection authorities have all the necessary means to punish GDPR violations appropriately and impose fines. Instead, negotiations often drag on for years - and rarely end in the interests of those affected."

Slovakia leads - Netherlands at the end of the spectrum
Although some data protection authorities appear to impose far higher fines than others, the overall figures are all in the single-digit percentage range - or lower. With penalties in 6.84 percent of all complaints and self-initiated procedures between 2018 and 2023, the Slovakian data protection authority leads the statistics. It is followed by Bulgaria (4.19 percent) and Cyprus (3.12 percent). In Austria, the figure is 1.10 percent. At the other end of the spectrum, the Dutch authority imposed a fine in 0.03 percent of all cases, closely followed by France (0.10 percent) and Poland (0.18 percent).

The noyb data protection experts describe the fines imposed as a "farce". Ireland leads the statistics by far with a total of 2.855 billion from 2018 to 2023 or 475,902,000 euros in average fines per year, ahead of Luxembourg (746 million or 124,395,729 euros in average fines per year). However, all major tech companies such as Apple, Google, Meta and Microsoft are based in Ireland. Luxembourg is responsible for companies such as Amazon.

In Austria, penalties totaling 42.9 million euros were imposed in the six years (2018-2023), or an average of 7,156,918 euros per year. According to the statistics, there is an average of 2,687 data protection complaints per year. The number of penalties is 30 per year.

A total of 4.29 billion euros in fines imposed
Between 2018 and 2023, all EU data protection authorities imposed fines totaling 4.29 billion euros - 1.69 billion euros of which are based on noyb procedures, the Vienna-based association announced. "In other words: almost 40 percent of all GDPR fines are attributable to noyb."

According to its own information, noyb.eu has so far brought around 800 proceedings against numerous intentional infringements - including against companies such as Google, Apple, Facebook and Amazon. "At the moment, the data protection authorities often seem to act in the interests of companies rather than the individuals concerned," complains Schrems. More than 5,000 supporting members make the work of the data protection organization possible.