Ireland ranked second in Europe for data breach notifications

Over 160,000 notifications reported across European Economic Area since GDPR began

The new figures come less than a week after the DPC was once again criticised for having failed to issue any sanctions as yet against leading tech companies who are based locally
The new figures come less than a week after the DPC was once again criticised for having failed to issue any sanctions as yet against leading tech companies who are based locally

More than 6,700 data breaches were notified to Ireland's Data Protection Commission (DPC) last year, the second highest level of notifications recorded per capita across Europe.

New figures show that more than 160,000 data breach notifications have been reported across the European Economic Area, which covers the EU, Norway, Iceland and Liechtenstein, since the General Data Protection Regulation (GDPR) came into force in May 2018. Of this, more than 100,000 were reported in 2019.

The Netherlands came top in terms of reported breaches per capita last year with 147.2 breaches per 100,000 people, according to figures compiled by legal firm DLA Piper. It also topped the list of table for the overall number of breaches reported with 40,647 notifications.

The Republic was in second place per capita with 132.52 notifications per 100,000 people. This marks a 12 per cent increased compared to 74.9 breaches recorded in for the first eight months of GDPR, when the State was ranked in fourth place per capita across Europe.

READ MORE

The new figures come less than a week after the DPC was once again criticised for having failed to issue any sanctions as yet against leading tech companies who are based locally.

GDPR fines

Under GDPR, data regulators have the power to fine companies up to 4 per cent of their global turnover of the previous year or €20 million, whichever is greater, for violating the law.

European regulators have imposed €114 million in fines under the GDPR regime to date, with a further €329 million in sanctions threatened.

The highest fine to date under the wide-ranging legislation is the €50 million imposed by the French data protection regulator against Google a year ago, although this was for failing to comply with GDPR obligations, rather than for data breaches.

Among the companies to be be facing fines are British Airways and Marriot, which are looking at bills totalling £183 million (€214.8 million) and £99 million respectively after being sanctioned by the UK's Information Commissioner's Office last year.

According to DLA Piper, France, Germany and Austria top the rankings for the total value of fines imposed to date with just over €51 million, €24.5 million and €18 million respectively.

Rise in daily notifications

Its study shows the rate of daily notifications for breaches increased by 12.6 per cent from 247 per day for the first eight months of GDPR, to 278 per day for 2019.

"GDPR has driven the issue of data breach well and truly into the open," said John Magee, intellectual property and technology partner at DLA Piper.

“It is no surprise to see Ireland – a strategic global hub for data-rich businesses across many sectors – once again ranked highly on number of breach notifications,” he added.

The Irish Data Protection Commission is the lead EU regulator for companies including Google, Facebook, Microsoft and Twitter under the "one-stop-shop" mechanism, which was introduced with GDPR.

Informed sources have said the Data Protection Commission is in the final stages of its investigation into WhatsApp over possible breaches of EU data privacy rules, with a draft decision expected to be circulated to other authorities to consider within weeks.

This is the first of the commission’s many investigations to approach its end point with delays blamed on complications that arise from pursuing companies that operate cross-border.

Charlie Taylor

Charlie Taylor

Charlie Taylor is a former Irish Times business journalist