Supervisory Authorities See Many Breaches But Issue Few Penalties

Last week, I wrote about how I’d be digging into the data to uncover enforcement trends by the EU Supervisory Authorities (SAs) under the GDPR. You can read some of the initial findings here (Do Supervisory Authorities Care About Data Breaches).

So What’s a Data Breach, Anyway?

Under Articles 33 and 34, controllers and processors are obligated to report data breaches to Supervisory Authorities, and in certain circumstances, to affected data subjects without ‘undue delay’.

Article 4 of the GDPR broadly defines a ‘personal data breach’ as any

breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

GDPR, Art. 4 (12)

This goes beyond what many of us might conceive of as a ‘data breach’ — namely, an intentional act, done by threat actors against a victim. Since the GDPR is so broad, the scope of a breach also includes more mundane things, like misdirected emails, gaps in access controls, and even shoddy storage practices.

Under Article 33, data breaches involving personal data must be reported by the controller to the relevant SA(s), while processors must report any breaches to controllers:

(1) … the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

(2) The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

GDPR, Article 33

Reporting Data Breaches, By the Numbers

This has led to an explosion in data breach disclosures made to regulators. According to a recent DLA Piper Data Breach Survey published in January 2020, 160,921 personal data breaches were reported to regulators between 25th May 2018 to 27 January 2020. This encompasses all EU member states, the UK, Norway, Iceland and Liechtenstein. No doubt that thousands more have been reported in the intervening months. 

The Netherlands, Germany, the UK and Ireland, topped the list for the number notifications made to regulators, with 40,647, 37,636, 22,181 and 10,516 notifications, respectively. 

Between 25 May 2018 to 27 January 2019, there were, on average, 247 breach notifications reported to supervisory authorities per day. For the period from 28 January 2019 to 27 January 2020, there were an average of 278 breach notifications per day, a 12.6% increase over the past period. 

As a point of comparison, 724 breaches were reported in the VCDB for the same time period. I noted in my previous post that although the VCDB isn’t perfect, it’s probably the best public-disclosure database we’ve got.

Clearly, the mandated reporting mechanisms under the GDPR are working.

Data Breach Enforcement

However, enforcement, particularly against data breaches, is not. Based on an analysis of all enforcement actions maintained by EnforcementTracker.com, there have been enforcement actions for just 91 events classed as a data breach, whether the breach was from a deliberate attack, inadvertent disclosure, or inadequate technical or organizational controls that led to unauthorized access. 

This represents just 0.06% of reported breaches making their way to a final enforcement action (though it’s likely that there are other actions currently being pursued by protection authorities). Here’s a breakdown of the countries that have issued an enforcement action for data breaches:

And here’s a breakdown of fines by country. Fines >€100,000 are included in the tooltip information:

So, Do Regulators Actually Care About Data Breaches?

During a podcast interview I did for the Clearly Cloud Podcast this week, we discussed some of these findings, and I hypothesized possible reasons why SAs have been reluctant to pursue enforcements generally, especially against data breaches. While I’m mindful that budgets are tight and headcount is limited, I don’t think that’s the full story. For example, the DPC of Ireland, which received around 10,516 breach notices, according to the DLA Piper study, has a headcount of 160 staff and a budget of €17m. Yet, @DPCIreland has only issued two enforcement actions, both against the Tusla Child and Family Agency, for violations under Arts. 5, 6 & 33.

It’s hard to reoncile countries like Ireland and the UK against enforcement-led locales like Spain, Germany and Romania. Sure, the fines coming out of Spain and Romania aren’t as headline-grabbing as the UK’s fines against Marriott and British Airways, but critically, they are being enforced.

Budgets alone can’t be the roadblock to better and more responsive action. Rather, I think some countries, in particular Ireland, have competing demands. So much of the Irish economy is built on being a data- and tax-haven for US and other multinational firms. Were Helen Dixon and her team to substantailly increase enforcement, I foresee there might be direct political, and economic consequences.

There’s also something to be said about shooting for the moon, like the UK did. It’s always exciting to take down a Google, Facebook or TikTok. They’re big, shiny targets. But they also have a legion of lawyers, and often involve complex, nuanced and deeply technical questions that take up time and resources, which cause backlog against other easier low-hanging fruit that might still yield positive change.

One has to ask — what’s the purpose of the GDPR if enforcement is so intertwined with economic and political implications? Does it matter that a strong rights regime exists if few ever face the consequences? Does the Schrems II decision, and its reliance on DPAs to police cross-border transfers even matter, if the SAs can’t even keep up with their current caseloads?

Next week, I’ll talk a bit more about some of the interesting findings, and draw out some cases that might offer some insights on how to ensure that the GDPR has teeth.