Data Protection News 2020/21

2020 Summary Statistics and Q1 2021 Round-up
July 30 2021

2020 Data Protection Summary Statistics

2020 was a record-breaking year, in terms of the value of fines from the ICO and the number of known cyber security threats worldwide.

The total value of fines issued by the ICO in 2020 exceeded £42 million, which was double the £21 million in fines issues in the preceding 10 years combined.  The lion’s share of the 2020 fines were issued to British Airways (£20 million) and Marriot International (£18.4 million), which despite being high, were both significantly lower than the originally intended fines of £193 and £99 million, respectively.

The total number of reported records leaked in 2020 was 20.5 billion, and there were 1032 known incidents of data breaches and cyber-attacks.  For comparison, 2019 saw 15 billion records leaked and 920 incidents, so both of these numbers are increasing gradually year on year.

New Data Protection Laws:

There were a number of new data protection laws that came into force in 2020.  Many countries are trying to align local law with the GDPR, which is being considered a global gold standard. Like the GDPR, many of these legislations have an impact outside of the country of origin, so businesses operating in any of these countries should perform a risk assessment of these changes:

United States
Enacted the California Consumer Privacy Act of 2018 (CCPA), was effective from January 1st, 2020
South Korea
Amendments to the Personal Information Protection Act (“PIPA”) and the Network Act went into force on August 5th, 2020
The Brazilian General Data Protection Law (LGPD), is in force since September 18th, 2020
In July 2020 the Dubai International Financial Centre ("DIFC") brought a new Data Protection Law into effect, which became enforceable on 1st October 2020
New Zealand
The Privacy Act 2020 and its Information Privacy Principles (IPPs) came into force on 1st December 2020
Similarly, there are a number of Data Protection Laws due to come into force in 2021:
A draft Personal Data Protection (Amendment) Bill was passed in the Singapore Parliament in November 2020. Certain sections of the Amendment Bill are in force, from February 1st, 2021
Data Protection Law No. 81 of March 26th, 2019 took effect on March 29th, 2021
On 28th May 2019, the Personal Data Protection Act became law in Thailand. There was an original one-year grace period which was extended until 1st June 2021
South Africa
The Protection of Personal Information Act 4 of 2013 (POPIA) came into effect on 1st July 2020, with a one-year grace period for compliance
Republic of Northern Macedonia
Law on Personal Data Protection was effective 24th February 2020 and following an 18-month period comes into force on 24th August 2021
The Personal Information Protection Act 2016 (PIPA) is expected to come into force in 2021
The Draft Data Protection Law is expected to be adopted in its current text within 2021
Personal Data Protection Bill 2019 (the PDP Bill) is currently pending consideration of the Indian Parliament and is expected to come into effect towards the end of 2021
Personal Information Protection and Electronic Documents Act (PIPEDA) is expected to be replaced by a new federal statute sometime in 2021 or 2022

Q1 2021 Data Protection Fine and Breach Summary:

In Q1 of 2021, the ICO issued 11 fines to the value of £1.2 million. All of these fines were for unsolicited or nuisance messages – 6 related to phone calls made to TPS registered numbers, and the other 5 were for unsolicited marketing calls, emails and text messages. The largest of the fines was for £250,000, issued to Leads Work Limited, for the transmission of 2.7 million texts without informed consent. This resulted in a whopping 10,000 complaints over 41 days.

There were at least 3.25 billion records leaked globally between January and March 2021, through 337 publicly reported incidents. The biggest of these was a breach of 1.5 billion records, which was apparently a development database, accidentally exposed by the American internet giant Comcast.

There have been 4 multi-million GDPR fines in Europe so far this year:

  • €10,400,000, from German Data Protection Authority of Niedersachsen, on 8th January, to for failing to provide a legal basis for 2 years of video surveillance of employees
  • €8,150,000, from Spanish Data Protection Authority (AEPD), on 11th March, to Vodafone Espana for sending marketing messages to people even after they had lodged official objections
  • €6,000,000, from Spanish Data Protection Authority (AEPD), on 13th January, to CaixaBank for providing a new privacy notice for the transfer of customer data to all other companies in the group, without an easy option to refuse consent
  • €4,500,000, from Italian Data Protection Authority (Garante), on 25th March, to Fastweb SpA for aggressive telemarketing

There have been no massive UK based data breaches so far this year, but ransomware is by far the biggest running threat. Wentworth Golf Club, Trafford bin collections and UK Research and Innovation all suffered ransomware attacks in February. Dozens of schools and colleges were targeted during March. But the most controversial was Fatface, having paid a ransom of $2 million to the Conti ransomware gang in January, which only came to light in late March when they notified the data subjects and the ICO. According to the GDPR, such notifications should be made within 72 hours of the event. Furthermore, the notification to the data subjects were marked ‘confidential’ and data subjects were asked not to disclose the breach to anyone… and so of course people immediately took to social media to highlight the lack of transparency and point out the irony!

Leading Resolutions offer a variety of data protection services, risk assessments and guidance. Please get in touch if you have any data protection questions or concerns.

About the Author

Maria McCoy

Head of Data Governance and Compliance