GDPR: EU Sees More Data Breach Reports, Privacy ComplaintsIreland, France, Germany and UK Report Increases Since Privacy Law Took Effect
Privacy watchdogs in Europe say they are continuing to see an increase in data breach reports as well as privacy complaints.
See Also: Regulation Cheat Sheet
That should be no surprise, because the EU on May 25 began enforcing its General Data Protection Regulation. Among its provisions, GDPR requires organizations that suffer a breach that may have exposed Europeans' personal information to notify relevant authorities (see: Europe Catches GDPR Breach Notification Fever).
The number of data breach reports filed since GDPR went into effect has hit about 3,500 in Ireland, over 4,600 in Germany, 6,000 in France and 8,000 in the U.K.
GDPR also gives Europeans the ability to file class-action lawsuits against breached organizations, and some law firms have already been exploring these types of actions.
And under article 77 of GDPR - "Right to complain to a supervisory authority" - Europeans can also file complaints with regulators about organizations' data protection practices, as they were also able to do before enactment of the new regulation. Regulators say these complaints have also been increasing.
Numerous national data protection authorities say they have seen an increase in both complaints as well as breach reports. But as information security expert Brian Honan has told Information Security Media Group, the increase in data breach reports does not mean there has been a surge in data breaches (see: Europe Catches GDPR Breach Notification Fever).
"What we are seeing is an increase in the reporting of the breaches that are happening," according to Honan, who heads Dublin-based cybersecurity firm BH Consulting. "So there is not necessarily an increase in the number of breaches since May 25, but rather we now have better visibility on data breaches."
Here's a sample of what European privacy watchdogs have been seeing.
Ireland's DPA, the Data Protection Commission, tells ISMG that as of Monday, it's received 2,476 complaints and 3,495 breach reports, although they involve both pre-GDPR and post-GDPR cases. "We have received complaints and breach notifications that relate to issues that occurred both post and pre-GDPR, and the pre-GDPR [before May 25] cases are therefore dealt with under the old legislation," says Graham Doyle, the head of communications.
- Total complaints received: 2,476
- GDPR applies: 1,575
- Old legislation applies: 901
- Total breach reports: 3,495
- GDPR applies: 3,105
- Old legislation applies: 390
In 2017, the DPC received an average of 230 data breach reports and 220 complaints per month. Since GDPR came into effect, however, it's seen a monthly average of 500 breach reports and 354 complaints.
"As you can see, there has been a significant increase in the volumes of both breaches and complaints to the DPC since May 25," Doyle says.
Germany's DPA, the Federal Commissioner for Data Protection and Freedom of Information, or BfDI, tells ISMG that as of Oct. 31, it received:
- Complaints: 1,914;
- Data breach notifications: 4,667.
In some cases, breach reports and complaints may be filed with any of the DPAs in Germany's 16 federal states. As of Sept. 5, BfDI says the total numbers seen across all federal and state DPAs included:
- Complaints: 11,017;
- Data breach notifications: 6,156.
France's DPA, the Commission nationale de l'information et des libertés, aka CNIL, tells ISMG that since GDPR enforcement began on May 25, through Nov. 23, it has received:
- Data breach notifications: 1,000;
- Data protection complaints: 6,000.
In the first two months following GDPR going into effect, CNIL received an average of 27 data protection complaints per day, but since then, the average has risen to 36 per day (see: GDPR Effect: Data Protection Complaints Spike).
United Kingdom: ICO
Earlier this month, the U.K.'s DPA, the Information Commissioner's Office, said that it's now seeing about 41 data breach reports get filed per day.
U.K. Information Commissioner Elizabeth Denham told a privacy conference in Wellington, New Zealand, on Dec. 5 that the ICO has seen the total number of data security complaints increase from 9,000 in the six months before GDPR took effect to 19,000 in the six months after.
Since May 25, the ICO also received more than 8,000 data breach reports, she said.
While each of the 28 EU member nations has its own DPA, expect to hear much more from Ireland's Data Protection Commissioner. That's because it will be taking the lead on numerous high-profile privacy investigations since many U.S. technology giants - including Facebook, Microsoft, Twitter, and soon Google - having chosen the country as the site of their European headquarters (see: Ireland's Privacy Watchdog Probes Facebook Data Breaches).
Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of a "one-stop shop" mechanism. This enables organizations that have a presence across different EU member nations to be subject to regulatory oversight by just one supervisory authority, rather than being subject to regulation by the supervisory authorities of each nation in which they have a business presence. The supervisory authority in the nation of the organization's "main establishment" takes on the role of lead supervisory authority.
For any organization that doesn't qualify for the one-stop-shop mechanism, but is the subject of a privacy complaint under GDPR, the data protection authority in whichever country where the complaint gets raised takes the lead if it determines that an investigation would be warranted.
First GDPR Fines Still to Come
Beyond bringing mandatory notifications for many types of breach to Europe, GDPR is also a big deal because of the potential penalties that regulators can impose on organizations that fail to take privacy seriously.
Organizations that violate GDPR face fines of up to 4 percent of their annual global revenue or €20 million ($22.7 million) - whichever is greater - as well as other potential sanctions, including losing their ability to process personal data.
Separately, organizations that fail to comply with GDPR's reporting requirements also face fines of up to €10 million ($11.3 million) or 2 percent of annual global revenue.
Many regulators have been clear that they don't plan to use the threat of massive GDPR fines punitively. But at the same time, organizations that fail to take Europeans' privacy rights seriously, or worse, engage in criminal behavior and attempt to cover it up, may find themselves at the receiving end of a serious European privacy enforcement smackdown.
So far, regulators have yet to bring GDPR fines to bear on an organization that was breached since May 25. In general, DPAs' investigations into major breaches tend to take about a year. So it's a safe bet that any major GDPR penalties won't be seen until mid-2019, at the earliest (see: Marriott Mega-Breach: Will GDPR Apply?).