The General Data Protection Regulation (GDPR) continues causing hefty fines and penalties for businesses and organizations across European countries even two years after coming into force.

According to data presented by BuyShares.co.uk, the United Kingdom tops the list of the most expensive data breach penalties with €132.7 million in total value of GDPR fines, more than German and Italy combined.

Cumulative Value of GDPR Fines Hit €344 Million, a €119 Million Increase in 2020

The primary reason for such a high cumulative value of GDPR fines in the United Kingdom is the data breach penalty imposed by the UK’s data protection authority, ICO, to Marriott International. In November 2018, the American multinational company was fined with €110.4 million after reporting a cyber incident that exposed nearly 340 million guest records.

Last week, the ICO fined British Airways €22 million for failing to protect the personal and financial details of more than 400,000 of its customers, the second-largest GDPR fine in the United Kingdom. The penalty is considerably smaller than the €204.6 million that the ICO initially said it intended to issue back in 2019 after the Magecart group used card skimming to collect the personal and payment information of British Airways` customers.

Far below the United Kingdom, Germany ranked as the second-leading country in Europe with €61.6 million in the cumulative value of GDPR fines, revealed the GDPR Enforcement Tracker data. On October 1st, 2020, H&M Hennes & Mauritz Online Shop was fined with €35.2 million for the insufficient legal basis for data processing, the severest GDPR penalty in the country.

Italian data protection authority (Garante) imposed €57.3 million worth of GDPR fines so far, ranking in third place among European countries. On January 15th, 2020, telecommunications operator TIM was fined €27.8 million for unlawful data processing, non-compliant aggressive marketing strategy, and invalid collection of consents, the steepest penalty in Italy.

France ranked fourth among the European countries with €51.3 million worth of GDPR fines. Austria, Sweden, and Spain follow, with, €18 million, €7million, and €3.9 million, respectively.

Statistics indicate the cumulative value of GDPR fines and penalties hit over €344 million in October, with almost €119 million worth of new fines imposed in 2020.

Top Five GDPR Penalties Account for 70% of Cumulative Fine Value

Behind Marriott’s €110.4 million worth GDPR fine, Google holds second place on the list of the highest data breach penalties. The US tech giant was fined €50 million by France’s data protection regulator, CNIL, for not providing enough information to users about its data consent policies and control in using their data.

H&M Hennes & Mauritz Online Shop ranked third on this list with €35.2 million worth GDPR fine. Italian telecommunications operator TIM and British Airways round the top five list with €27.8 million and €22 million, respectively.

Statistics show the five biggest data breach penalties cost more than €245 million, or 70% of cumulative GDPR fine value.