GDPR Fines Almost Doubled

GDPR Fines Almost Doubled in H1 2022: Data Privacy Trends

As Ron Burgundy would say, “that escalated quickly”! GDPR fines almost doubled in the first half of 2022, compared to the first half of 2021.

According to an analysis conducted by AtlasVPN based on data from the GDPR Enforcement tracker, General Data Protection Regulation (GDPR) fines hit a total of €97.29 million in the first half of 2022, an increase of 92% over H1 2021, when the fines were €50.6 million. This despite the fact that legal cases slightly decreased from 215 in 2021 to 205 in 2022.

In other words, even though the number of GDPR violations slightly decreased in 2022, the severity of those violations was considerably worse, leading to the result that GDPR fines almost doubled.

The most noticeable difference between 2021 and 2022 can be seen in February, where the total amount penalized differs by nearly €28 million. If it hadn’t been for the June comparison (where the 2021 fines exceeded 2022 by more than €6 million), 2022 H1 GDPR fines would have been well over double those of 2021 H1.

On the other hand, there is a distinctive trend throughout both years –  around 70% of fines happen throughout the first quarter.

So, what do you think? Are you surprised that GDPR fines almost doubled in the first half of 2022? Or are you surprised that they aren’t even larger? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.



  1. I was fortunate to watch the entire four year GDPR gestation, living in Brussels and having contacts with EU Commission insiders. To watch the machinations of Big Tech was a Master Class in manipulation. And to hear the various regulators claiming to be “overwhelmed” and that this GDPR thing “dropped out of the sky” when they had over 2+ years to prepare, budget, and hire before the enforcement date of 25 May 2018 – and time to complain about preparation, budget, and staffing issues beforehand – was a Master Class in regulatory incompetence. Alas, not all of their own making. The bean counters surely are also at fault.

    The fundamental problem was always the collection of data, not its control. Europe introduced the GDPR aimed at curbing abuses of customer data. But the legislation misdiagnosed the problems. It should have tackled the collection of data, not its protection once collected. As I reported several years ago, when the GDPR drafting first began, the focus was on limiting collection but Big Tech lobbyists and lawyers turned that premise 180 degrees and “control” became the operative word. That has always been Big Tech’s mantra: don’t ask permission. Just do it, and then apologise later if it goes bad. Zuckerberg was the poster boy for that mantra.

    Had regulators really wanted to help they would have stopped forcing complex control burdens on citizens, and made real rules that mandate deletion or forbid collection in the first place for high risk activities. But they could not. They lost control of the narrative. As I have noted in a series of posts, as soon as the new GDPR negotiations were in process 4+ years ago the Silicon Valley elves sent their army of lawyers and lobbyists to control the narrative to be about “control” – putting the burden on citizens. The regulators had their chance but they got played. Because despite all the sound and fury, the implication of fully functioning privacy in a digital democracy is that individuals would control and manage their own data and organizations would have to request access to that data. Not the other way around.

    Like consent. In order for a site to track you, Article 4 of the GDPR notes that it needs to obtain a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” And no pre-ticking consent boxes, either, buster.

    But that little tick is, quite literally, just a tiny pile of snow at the top of a massive iceberg. On every page you’re visiting, there could be a few, or dozens, or even hundreds of tiny tech companies working together to take whatever data gets exposed through the webpage you’re visiting into some kind of targeted ad. By the time that annoying ad for some ugly t-shirt pops up on a blog you’re reading, there have already been countless algorithmic bidding wars on that ad space—the spot on the page where an ad appears—that are each their own Olympic feats of Big Tech gymnastics. If this all wasn’t so invasive and upsetting, it would almost be kind of impressive.

    The reality is that the problems that are causing so much turmoil in the world predate the digital and computational acceleration, but are also very much aided by it. It’s not either/or at all. The problem is the creators of all this wonderful technical infrastructure we live in are under social and legal pressure to comply with expectations that can be difficult to translate into computational and business logics. This stuff is about privacy engineering and information security and data economics. Dramatically amplifying the privacy impacts of these technologies are transformations in the software engineering industry – with the shift from shrink-wrap software to cloud services – spawning an agile and ever more powerful information industry. The resulting technologies like social media, user generated content sites, and the rise of data brokers who bridged this new-fangled sector with traditional industries, all contribute to a data landscape filled with privacy perils.

    I’ll expand on all of that next week in a post “The utter failure of the GDPR”. But for now, short answers to your questions:

    1. These fines are miniscule. Looking at just the fines against Big Tech, taken as a group, they amount to .000021 of gross revenue. Beer money. A cost of doing business. So why should they make any real concrete changes to the digital ecosystems and an evolution of their practices? Even the bad boy himself, Max Schrems, said in an interview last week the largest part of the data industry has learned to live with GDPR without actually changing practices.

    2. The GDPR has no provisions that ensure harmonisation of the imposing and calculation of fines. This has already led to diverging practices by the Data Protection Authorities (DPAs). Neither does the GDPR require transparency about imposed fines. Without transparency, the deterrent effect of fines can be questioned. Worse, individuals who are affected by an infringement are not benefited by the imposed fine. Although Article 82 of the GDPR gives any person suffering material or non-material damage resulting from an infringement a right to compensation, the right is more theoretical than practical.

    3. Read the recent Oxford Martin report on the GDPR. While European leaders had pledged to reign in the power of bigTech, GDPR has in fact strengthened them by weakening their competitors, those against whom the bulk of the fines have been laid. The Oxford Martin findings show that smaller companies have been disproportionally adversely impacted, both in terms of sales and profits, and the burden of compliance. Facebook has 2,500 employees addressing GDPR issues. Go figure.

    4. And who has issued the largest fine for a data privacy violation? The U.S. Federal Trade Commission. $5 billion against Facebook for data privacy violations. A fine equivalent to around 1 1/2 months’ of Facebook’s operating cash flow. An encouragement, not a deterrent, to keep stealing and monetizing data from FB and Instagram users. So those GDPR fines you quote pale into insignificance.

    I’ll leave it there.

Leave a Reply