Almost 60,000 personal data breaches have been reported to Europe’s regulators since the EU adopted a landmark privacy law, according to figures published on Tuesday that campaigners said should spur people to think twice about what they share online.
The EU’s General Data Protection Regulation (GDPR) requires organizations holding personal information, such as a person’s name, address and religion, to notify authorities when they suffer a breach – or face a hefty fine.
Leaks reported since the law was adopted in May 2018 included anything from major hacks to minor incidents like an email sent to the wrong address or lost USB stick, according to a study by global law firm DLA Piper.
“The GDPR is driving personal data breach out into the open,” said Ross McKean, a partner at the firm specializing in cyber and data protection.
Of the 26 countries analyzed, the Netherlands, Germany and Britain, reported the most breaches, while Italy, Greece and Romania had the lowest per capita rate of reporting – something that suggested varying levels of compliance, said McKean.
Francisco Vera, an advocacy officer at campaign group Privacy International, said it was hard to tell whether the total number of breaches was unusually high, as it was the first time such figures were available.
“That alone shows how important breach notifications are,” he said. “They reinforce accountability of those who are processing our personal data and make consumers aware of the risks they might be facing.”
Numbers should decrease as fines and consumer pressure push companies to better security, said Diego Naranjo, a policy advisor at advocacy group European Digital Rights (EDRI).
“Security breaches will always occur as technologies are not perfect,” he told the Thomson Reuters Foundation by phone.
“[But] companies should be careful with what they gather and why they gather it and individuals should be careful not to provide too much information in case it gets leaked”.
The GDPR gives new powers to privacy enforcers, allowing them to levy fines of 20 million euros ($23 million) or up to 4 percent of global revenue, whichever is higher.
Not all of the about 90 fines imposed under the GDPR regime so far related to personal data breach, but more are expected to be issued in the coming months as regulators complete their investigations, said McKean.
“It is a question of when rather than if,” he said.
In January, the French data protection watchdog slapped a 50 million euro fine on Google for failing to properly obtain users’ consent for personalized ads, the largest sanction under GDPR rules to date.