Photo of Peter Craddock

Since it started in May 2018, enforcement of the rules of the General Data Protection Regulation (GDPR) across the EU has revealed various national trends and differences in approach. Yet one difference seems to dwarf all others: the variation in the amount of the fines for GDPR violations. This has led the European Data Protection Board (EDPB) to publish new guidelines in May 2022 on the calculation of administrative fines under the GDPR.

The EDPB’s proposed methodology includes a formula for reaching a “starting amount” for fines, one that can afterward be adapted based on mitigating and aggravating circumstances. This formula is what we included in our GDPR fine calculator, DeFine, available here.

But a new methodology could lead to changes, so we analyzed over 300 fines, notably the top 250 fines on companies with an identifiable turnover. Based on our analysis, Italy has by far imposed the largest number of fines that would be on the “high” end of the scale of the new EDPB methodology, while across all supervisory authorities, fines for companies with a turnover of more than 250 million EUR are overwhelmingly on the “low” end of the scale.

Our key conclusion: if unchanged, this methodology could lead to significantly higher fines in the future. Read our analysis here.