GDPR

It's unlikely that anybody out there actually got time off work in honor of Data Protection Day, but statistics are the next best thing, right? On Friday, the European Commission's head of sector for communication tweeted out a link to data tracking the impact of the General Data Protection Regulation since it was implemented last May.

The numbers show that GDPR-related complaints and data breach notifications issued to data protection authorities in Europe are on the rise.

A representative for the European Commission declined to comment on the statistics but did reference a statement released in conjunction with Monday's Data Protection Day that echoes some of the findings there.

“We are already beginning to see the positive effects of the new rules. Citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights, as national Data Protection Authorities see in their daily work. They have by now received more than 95,000 complaints from citizens,” the statement said.

A graph included in the statistics that were tweeted out on Friday goes into a little more detail. Since the GDPR's implementation last May, the number of related complaints rose slowly to about 60,000 and hovered there through November. The graph shows another spike through December and January, bringing the total number of complaints to 95,180. Most complaints referenced some form of telemarketing, promotional emails or video surveillance.

Another chart displayed a similar pattern for the number of breach notifications reported to data protection authorities (DPAs) since May. Under the GDPR, companies must disclose a breach to their national DPA within 72 hours. The number of notifications hovered at just under 30,000 through November before rising gradually to a total of 41,502 in December and January.

So far, the number of fines issued remains in the low single digits. The heaviest was issued last week when French data regulator Commission Nationale de l'informatique et des Libertés (CNIL) hit Google with a 50 million euros penalty, citing a lack of transparency, inadequate information and a lack of valid consent regarding the personalization of ads.

It's not quite 4 percent of the company's annual global revenue, the largest fine allowed under the GDPR, but it is the steepest issued so far. Google's competition includes a German social network operator that failed to secure user data (20,000 euros) and an Austrian sports betting café that was penalized for unlawful video surveillance.