Europe’s privacy regime: 5 years in 5 charts

Europe’s most famous technology law, the General Data Protection Regulation (GDPR), turned 5 on Thursday.

The law, which came into force on May 25, 2018, has prompted businesses — from tech giants to hotel chains, cellphone companies to mom-and-pop businesses — to tighten their privacy policies. Many have cleaned up how they handle people’s personal data, encouraged by the prospect of being fined up to 4 percent of their annual revenue.

Despite its wide influence on organizations’ handling of personal information — and on how people consider both privacy and EU rulemaking more broadly — the bloc is in a fierce debate over whether its rulebook has succeeded in delivering on its promise. European regulators have clashed over how to hold Big Tech to account, and the European Commission is looking to fix some of the GDPR’s flaws to allow for speedier, more forceful responses to privacy violations, in a new proposal expected in early July.

POLITICO scoured the statistics aggregated by the GDPR Enforcement Tracker, an online tool managed by law firm CMS that keeps tabs on fines imposed under the GDPR, to review the law’s first five years by the numbers.

Spain was most zealous in fining ...

Two Southern European countries have imposed the highest number of fines for privacy violations: Spain, with 646, and Italy, with 265. They’re followed by Germany, with 145, and Romania, with 138.

... but Ireland and Luxembourg hold sway over Big Tech

When it comes to the total value of imposed fines, Ireland tops the charts easily, with a combined €2.5 billion. Almost half came from this week’s €1.2 billion fine against Meta for its failure to properly protect Europeans’ data when transferring it to the United States.

Luxembourg, one of Europe’s smallest countries, comes second, with €746 million in fines. The whole amount stems from just one fine imposed on Amazon in 2021.

The reason for this is that Ireland and Luxembourg host most large technology companies — which benefit from favorable tax regimes in these countries — and the GDPR stipulates that cross-border investigations should be conducted by the national regulator of the country where the company has its European headquarters.

It’s a principle called the "one-stop-shop," and it is at the heart of criticism that the law’s enforcement has been slow and weak, as privacy groups and many data protection regulators across Europe have spoken out against the Irish regulator’s approach to upholding the law.

“There are some goals to be achieved in the enforcement side of the GDPR; it’s still too slow,” Germany’s Federal Commissioner for Data Protection Ulrich Kelber said at a privacy conference in Brussels this week.

Industrial sector is most targeted — but tech firms get the big bills

The highest number of fines were imposed on "industry and commerce" companies.

But it’s media, telecom and broadcasting firms (the big-brand technology companies among them) that got the biggest fines, followed by companies in the transport and energy sectors and those in finance, insurance and consulting.

There have been 232 fines imposed on individuals, but these were consistently small, with a median amount of €2,000.

The long lead-up

This week’s monster fine on Meta was the biggest GDPR fine imposed so far and the first to exceed €1 billion. It bolsters some regulators’ claims that the law is fully up and running in cracking down on privacy abuse.

But a timeline shows it took a couple of years for regulators to really get the ball rolling on GDPR enforcement: Almost no fines were imposed in 2018, and just a few in 2019; only in 2020 did regulators start to finalize and speed up their investigations.

“Our engine is roaring and we are going faster every day,” Andrea Jelinek, the outgoing chair of the pan-European group of data protection regulators, told a conference this week.