Watch what you share, activists warn as 60,000 data breaches reported under new EU rules

by Umberto Bacchi | @UmbertoBacchi | Thomson Reuters Foundation
Tuesday, 5 February 2019 19:32 GMT

A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

Image Caption and Rights Information

Leaks reported since the law was adopted in May 2018 included anything from major hacks to minor incidents like an email sent to the wrong address or lost USB stick

By Umberto Bacchi

LONDON, Feb 5 (Thomson Reuters Foundation) - Almost 60,000 personal data breaches have been reported to Europe's regulators since the EU adopted a landmark privacy law, according to figures published on Tuesday that campaigners said should spur people to think twice about what they share online.

The EU's General Data Protection Regulation (GDPR) requires organisations holding personal information, such as a person's name, address and religion, to notify authorities when they suffer a breach - or face a hefty fine.

Leaks reported since the law was adopted in May 2018 included anything from major hacks to minor incidents like an email sent to the wrong address or lost USB stick, according to a study by global law firm DLA Piper. "The GDPR is driving personal data breach out into the open," said Ross McKean, a partner at the firm specialising in cyber and data protection.

Of the 26 countries analysed, the Netherlands, Germany and Britain, reported the most breaches, while Italy, Greece and Romania had the lowest per capita rate of reporting - something that suggested varying levels of compliance, said McKean.

Francisco Vera, an advocacy officer at campaign group Privacy International, said it was hard to tell whether the total number of breaches was unusually high, as it was the first time such figures were available.

"That alone shows how important breach notifications are," he said. "They reinforce accountability of those who are processing our personal data and make consumers aware of the risks they might be facing."

Numbers should decrease as fines and consumer pressure push companies to better security, said Diego Naranjo, a policy advisor at advocacy group European Digital Rights (EDRI).

"Security breaches will always occur as technologies are not perfect," he told the Thomson Reuters Foundation by phone.

"(But) companies should be careful with what they gather and why they gather it and individuals should be careful not to provide too much information in case it gets leaked".

The GDPR gives new powers to privacy enforcers, allowing them to levy fines of 20 million euros ($23 million) or up to 4 percent of global revenue, whichever is higher.

Not all of the about 90 fines imposed under the GDPR regime so far related to personal data breach, but more are expected to be issued in the coming months as regulators complete their investigations, said McKean.

"It is a question of when rather than if," he said.

In January, the French data protection watchdog slapped a 50 million euro fine on Google for failing to properly obtain users' consent for personalised ads, the largest sanction under GDPR rules to date.

(Reporting by Umberto Bacchi @UmbertoBacchi, Editing by Claire Cozens. Please credit the Thomson Reuters Foundation, the charitable arm of Thomson Reuters, that covers humanitarian news, women's and LGBT+ rights, human trafficking, property rights, and climate change. Visit

Our Standards: The Thomson Reuters Trust Principles.