According to data compiled by Finbold, the EU GDPR fines for 2021 Q3 hit €984.47 million, which is almost 20 times higher than cumulative fines of €50.26 million imposed during Q1 and Q2. To put this into perspective, the Q3 2021 GDPR fines are also three times higher than the €306.3 million imposed across the entire 2020.  Luxembourg also accounts for the highest cumulative fines at €746.07 million from 11 cases, followed by Ireland at €225 million tally. Among the top ten countries with the highest fines, Italy ranks third at €86 million from 92 cases. Spain has the most cases at 296. Data on EU’s GDPR fines is retrieved from enforcementtracker.com, provided by CMS Law.Tax.

Factors fuelling high GDPR fines 

The significant total fines come barely three years after the GDPR law came into effect. In general, the figures reflect the continued crackdown on businesses as regulators find means of implementing the laws. Worth noting is that GDPR investigations are lengthy and consume a lot of time, running into several months. Therefore the high figures recorded might reflect the fines from investigations that commenced and only concluded in the third quarter.  Furthermore, the imposed fines do not necessarily mean that the affected business might pay the exact amount. Notably, some companies are known to launch appeals that sometimes lead to the scrapping of the fines or reduction.  Interestingly, imposing the GDPR fines opens the door for heated legal battles in the coming years. Notably, different regulators have adopted varied interpretations of the laws, with some considered extremely strict. At the same time, some market players have termed the GDPR fines as full of ambiguities and inconsistencies, which has opened the door for varied implementation. Additionally, in 2020, regulators showed some form of leniency towards businesses as a cushion towards the coronavirus pandemic. The period saw businesses undergo financial hardships. Therefore, it can be assumed that the high fines in 2021 indicate that the cushion emanating from the pandemic is no longer applicable as most countries resume normal economic activities amid the vaccination campaigns. 

Why tech companies are most hit 

With technology controlling most aspects of modern life, it is no surprise that companies from the industry are among the most hit. Some of the impacted tech platforms are dominant with billions of customers, which handle loads of personal data. Consequently, regulators across Europe have focused more on the transfers of personal data.  Moving forward, the value of the fines is likely to keep soaring as more regulators gather confidence to implement the GDPR guidelines. Furthermore, some jurisdictions might move forward and add other punitive measures on top of the fine in a bid to improve bad data processing habits.  At the same time, organizations will likely remain cautious, considering the GDPR landscape is still evolving, and there is always a possibility of new and stricter rules emerging in the future.