Strict limits on transferring personal data under GDPR could cause “damaging and costly” disruption to businesses, DLA Piper has warned as data protection fines rose sevenfold in 2021.
Nearly €1.1bn of fines have been imposed since 28 January 2021 across the EU, UK, Norway, Iceland and Liechtenstein – a 594% year-on-year increase.
Amazon was hit with the largest fine of the year – €746m – by the Luxembourg data protection supervisory authority. Amazon has appealed the fine, maintaining that there was no data breach.
More than 130,000 personal data breaches were logged in this period, or about 356 per day, according to data gathered by DLA Piper for its latest annual survey of breaches.
Although the rise in fines was significant, DLA Piper said the main concern for businesses is compliance with a July 2020 ruling, known as Schrems II, which imposed strict limits on the transfer of personal data from Europe and the UK to “third countries”.
Companies that fail to meet requirements face suspension orders, fines and claims for compensation.
What is Schrems II?
In July 2020, the Court of Justice of the European Union ruled that the US does not provide an “essentially equivalent” level of personal data protection. As a result, companies that hold personal data must ensure that if data is transferred to another country, it is given the same level of protection as it would under GDPR.
Companies that export data between Europe and the US, for example, will have to carry out comprehensive mapping of those transfers with detailed assessments of legal and practical risks, DLA Piper said.
Ewa Kurowska-Tober, global co-chair of DLA Piper’s data protection and security group, said: “The Schrems II judgement has effectively shifted the problem and burden of a fundamental conflict of laws from the politicians and lawmakers to individual data exporters and importers.”
She added that meeting the requirements of Schrems II is “a challenge even for the most sophisticated and well-resourced organisations and is beyond the means of many small and medium sized enterprises”.
‘Damaging and costly’ risks of not complying
Besides fines and claims for compensation, the ruling states that data operators must suspend transfers if they find that data subjects are not given the same “essentially equivalent” protection in another country.
That risk is “potentially more damaging and costly” than fines, Ross McKean, chair of DLA Piper’s UK data protection and security group said. Businesses could face an interruption to their services if authorities prohibit their data transfers.
He added: “The focus on transfers and the significant work required to achieve compliance inevitably means that organisations have less time, money and resource to focus on other privacy risks.”