A report produced by DLA Piper has calculated the hefty toll of fraud and GDPR breaches in fines issued in 2022.

The annual GDPR and Data Breach survey shows that European regulators issued EUR 2.92 billion in fines to companies that were non-compliant with data privacy regulations and did not install robust digital identity systems.

Regulators from European countries were called to collate the data proving data and GDPR violations by private sector companies.

Key findings include:

  • A 168% increase in GDPR fines issued vs previous year, at EUR2.92bn / USD3.1bn / GBP 2.54bn
  • A highest individual fine of EUR405mn as imposed against Meta in Ireland
  • A slight fall in the average number of data breaches at 300 a day, vs 328 the year prior

The report is especially critical of the advertising and marketing activities of large tech companies and social media networks which breached GDPR to personalise user campaigns.

Ross McKean, Chair of the UK Data Protection and Cybersecurity Group confirmed a pattern of harmful advertising practices, saying:

“The spate of Irish Data Protection Commissioner fines targeting the behavioural advertising practices of social media platforms this year have the potential to be every bit as profound for the future of the “grand bargain” at the heart of today’s “free” internet, as Schrems II has been for international data transfersGiven what is at stake, we can expect years of appeals and litigation. The law is very far from settled on these issues.”

The largest fines issued were levied against Meta and Instagram, standing accused of harvesting users’ data and conducting a mass profiling operation for targeted marketing campaigns. Meta was ordered to pay penalties of EUR210m while Instagram was also slapped with EUR180m fine.

109,000 data breaches were reported from 28 January 2022, indicating a decrease of 120,000 reports from the previous year. The average total of notifications dropped from 328 per day to 300 per day.

The survey predicts that harsher enforcement of laws will be implemented to ensure culpability for the abuse of personal data.