GDPR buses reach over 1 billion euros in 2021

The aim of the General Data Protection Regulation (GDPR) was to give EU citizens more control over their data and privacy. It was introduced in 2018 and also applies in Iceland, Liechtenstein and Norway, which are not EU members but belong to the European Economic Area EEA. Swiss companies are affected by the GDPR insofar as they are active with branches in EU countries. So in the event of violations, they too could be fined under the GDPR. A new Swiss data protection law (see box) awaits after long discussion for its entry into force - possibly in mid-2022.

Record high fines in 2021

Data security services provider Atlas VPN has calculated the DSGVO fines in 2021. According to their data, these amount to over €1 billion, with a total of 412 fines imposed in 2021. The companies that had to pay the highest fines for violations of the GDPR include global companies such as Amazon and WhatsApp, but also various national telecommunications service providers. The extent to which Swiss companies also had to pay GDPR fines is not clear from the information provided by Atlas VPN.

In 2018, when the EU implemented the GDPR law, a total of 436,000 euros in fines were imposed on companies. The next year, 2019, the amount of fines increased significantly to 72 million euros. Then in 2020, the total value of fines imposed by the end of the year exceeded 171 million euros. However, 2021 far surpassed previous years, producing GDPR fines of more than EUR 1 billion, an increase of 521 % from the previous year.

Amazon Europe Core S.à.r.l. had to pay the highest fine in 2021, €746 million. Later, in September, the EU fined WhatsApp Ireland Ltd. 225 million euros, the second-highest fine in the history of the GDPR. Vilius Kardelis, cybersecurity writer at Atlas VPN, can be quoted as saying, "The GDPR continues to successfully hold companies accountable when they misuse people's data or are unclear in their privacy policies. Companies have become more responsible in handling their customer data to avoid hefty fines from regulators, ultimately benefiting all EU citizens." So the efforts to improve data protection seem to be starting to bear fruit.

DSGVO buses in country comparison

In some countries, the updated data protection laws had a significant impact on companies, as they were subject to appropriate fines under the new system. In Spain, for example, 351 fines were imposed, amounting to EUR 36.7 million. The average fine is around EUR 105,000, which means that Spain has collected by far the most fines compared to all other countries. The biggest "sinners" there turned out to be various telecom providers, above all Vodafone Spain, which had violated the GDPR regulations several times with various marketing activities.

Italy is in second place with 101 GDPR fines, for which companies had to pay almost EUR 90 million. The average fine in Italy in 2021 was around EUR 887,000, which is one of the highest compared to other countries. In our southern neighboring country, TIM, a large telecommunications service provider, was also asked to pay. The company had to pay a fine of 27.8 million euros for improper collection and dissemination of data.

Third on the list is Romania, which has imposed a total of 68 penalties that add up to 721,000 euros. Although the country has imposed many penalties, the average is less than 11,000 euros.

Source: VPN Atlas

New data protection law in Switzerland

Switzerland is also getting a new data protection law. This was adopted on September 25, 2020 and is expected to come into force possibly in mid-2022. It is essentially based on the EU's GDPR and aims to increase transparency in the exchange and processing of personal data, promote the personal responsibility of data operators, and strengthen data protection supervision by the Federal Data Protection and Information Commissioner (FDPIC). The new Swiss data protection law also brings an expansion of the penal provisions with fines of up to 250,000 Swiss francs.