'Measured approach' or light-handed GPDR? Noyb reports only 1.3 percent of EU cases result in fine

When Europe’s strict set of data protection rules came into force nearly seven years ago, privacy campaigners, industry experts, and lawyers all warned that noncompliance could result in eye-watering fines and other costly sanctions, especially for repeated breaches. However, the reality appears to be very different.

On average, only 1.3 percent of cases before EU data protection authorities (DPAs) result in a fine, according to a report by privacy campaign group Noyb, which based its research on figures from the European Data Protection Board (EDPB), the EU’s key enforcer of the General Data Protection Regulation (GDPR). At the same time, Noyb said large companies can easily ignore access requests without serious consequences. This apparent lack of enforcement seems to be very specific to data protection, the group added.

Countries like Spain, Italy, France, Germany, and Romania are widely regarded as being keen privacy enforcers, racking up the majority of the EU bloc’s GDPR fines, as well as handing out some of the highest penalties. Other countries–such as the U.K., Estonia, and the Netherlands–have taken a more tempered approach, however, preferring to guide companies towards compliance and better practices, while only issuing fines in cases where demonstrable harm or egregious noncompliance has been committed.