Last year, the data protection authorities in EEA imposed 190 fines with a total cost of over €410m according to a new report by Federprivacy that has analyzed official sources of information in the 30 countries that are part of the European Economic Area (EEA). The most active Authority for Data Protection was Italy (GPDP) with 30 actions in 2019, followed by Spain (AEPD) with 28, and Romania (ANSPDCP) with 20. The strictest has been the UK (ICO) with €312m of sanctions (76% of the total).
No sanctions have been imposed in a few countries, including Ireland and Luxembourg. In these countries, there is a European head office of the majority of foreign corporations that are processing personal data on a massive scale. According to Federprivacy Chairman Nicola Bernardi, "Even though GDPR has laid the groundwork for more consistent legislation in the EU about personal data protection, the report points out a double standard in imposing sanctions among the authorities. The one in the UK, for example, has already fined British Airways and Marriot heavily, while in Ireland no sanction has been imposed yet, even though there are huge technological corporations in this country. We hope that this 'one stop shop' system will not unfairly favour corporations like Facebook, Twitter, Amazon and Google. We await the outcome of 19 different investigations in Ireland."
The most frequently fined violations are: illicit use of personal data (44%), poor security (18%), absent or not adequate information (9%), lack of respect for the right of people involved (13%), and computer accidents or other data breach (9%).