Almost four months after the General Data Protection Regulation (GDPR) is in full effect, we can see a tremendous increase of data breach report with different reasons in Europe, though.
According to a survey of “Welt am Sonntag” the number of complaints of individuals in Germany has exploded since 25th May 2018. In the first month only, the supervisory authorities have received more complaints than in the whole year before. This means that they get ten times more E-Mails, letters and calls than before. They received most of the complaints right after the implementation of the GDPR.
In Berlin for example, there were about 130 complaints on 28th May already. Berlin Data Protection Authority has received 1.380 reports in the time from May to July, which is about four times higher than in the year before. Hamburg Data Protection Officer has registered that the complaints have doubled in the first month. North Rhine Westphalia authority call itself a call centre because of about more than 100 calls per day in the first month of GDPR. In addition there have been 1.004 reports to the Federal Data Protection officer after two months only plus 500 notifications to the state representatives. Interestingly, almost only individuals report to the German authorities.
France has already seen the volume of complaints increase by more than 50% compared to the year before. A similar phenomenon can be observed for instance in the UK. The number of reports of data breaches to authorities is four times higher than initially. In June only there have been 1.750 reports, most of them per telephone and about the health and education sector.
We do not know the reasons why but we believe that a mixture of public hysteria around May 24th, a strong mistrust against US data leeches and the impression that consumers now have a chance to “pay back” have had a certain impact on the increasing amounts of notifications in Germany. Furthermore, many notifications are not about data breaches but result from uncertainty in connection with the GDPR.
In UK instead the reasons why companies report so many supposed breaches but not individuals might be because they are more uncertain about their compliance with GDPR and their obligation to notify data breaches. ico. already asked the companies not to “over report”. They should determine first whether a breach, indeed, is reportable under GDPR’s requirements rather than simply reporting everything in the interests of transparency (Click here to find the link to the guide).
It will be interesting to observe if the amount of data breach notifications will remain that high and to which extent – especially in Germany – the increase was caused by hysteria and uncertainty of consumers. In any case companies and citizen need better information about their rights and duties in connection with data breach notifications. As long as supervisory authorities are not able to provide this information and to reduce uncertainty it will be our job, as lawyers, to counsel our clients accordingly.