Global Regulators Taking A Hard-line Approach To Data Protection, Finds Law Firm DLA Piper
We are only just into 2021 but already privacy and cybersecurity are back on the radar as essential issues facing New Zealand businesses, with the high-profile data breach affecting the Reserve Bank. A DLA Piper global survey makes sobering reading:
Businesses have been fined EUR272.5 million (about NZD462m) for a wide range of infringements of Europe’s tough data protection laws. The figure is taken from the law firm’s latest annual General Data Protection Regulation (GDPR) fines and data breach report of the 27 European Union Member States plus the UK, Norway, Iceland and Liechtenstein. EUR158.5 million (NZD269m) of fines have been imposed in the last year alone, a nearly 40% increase on the previous 20 month period since the application of GDPR.
Although New Zealand’s new Privacy Act 2020 does not give the Privacy Commissioner here the power to issue fines as significant as those available to European and UK regulators, New Zealand's introduction of mandatory data breach reporting means businesses are on notice. They should be watching keenly how breach notifications are dealt with in jurisdictions with more established data breach reporting regimes. Salient statistics from DLA Piper's report include:
- Double digit growth for breach notifications for the second year running with 121,165 breaches notified since 28 January 2020 compared to 101,403 breaches notified in the previous year – a 19% increase.
- Per capita, Denmark tops the rankings for data breach notifications.
- Italy has imposed the highest aggregate fines, with France imposing the highest individual fine to date.
Nick Valentine, head of DLA Piper's New Zealand Data Protection team, says "Regulators in the EU and UK have been testing the limits of their powers over the last 12 months. It will be interesting to see whether the Privacy Commissioner takes a similar hard-line approach in exercising his new powers under the Privacy Act 2020 (such as the issuing of compliance notices), and how New Zealand businesses will approach mandatory data breach reporting from here on in."
N.B. Not all Member States of the European Economic Area make details of breach notification statistics publicly available. Several have only provided incomplete statistics or statistics for part of the period covered by this report so the figures have been rounded up and in some cases extrapolated to provide best approximations. Similarly not all GDPR fines are publicly reported and some data only covered part of the period covered by this report.