COMPANIES have been forced to pay around €114 million (£97m) in fines for breaching European privacy rules, a new report has claimed.

More than 160,000 data breaches have been reported across the European Union, Norway, Iceland and Liechtenstein since a new law came into force nearly two years ago.

British companies were the third most frequent offenders against the General Data Protection Regulation (GDPR) rules, with more than 22,000 breaches reported in the UK since the law was introduced in May 2018. However, they contributed only €320,000 (£275,000) of the total fines, according to new research by law firm DLA Piper.

Two prominent British cases involving British Airways and Marriott were not included in the figures because the fines have not yet been finalised.

If the data had included the combined fines of £282m (€329m) the Information Commissioner’s Office last year suggested it will levy over those breaches, it would bring the total EU-wide figure to €443m (£367m).

Companies in France have paid the most, with €51m (£43m) in fines for breaches of GDPR.

Germany was second at €24.5m (£21m), and then Austria, where companies paid out €18m (£15m) for breaches.

Eight countries in the bloc are yet to impose any financial penalties at all and only five countries of the 28 have fined their businesses more than €1m (£850,000).

“We expect to see momentum build with more multimillion-euro fines being imposed over the coming year as regulators ramp up their enforcement activity,” Ross McKean, a partner at DLA Piper, said.

The biggest fine to date, not counting the two UK cases which are yet to be finalised, was a €50m (£43m) charge that French authorities imposed on Google.

The number of reports of breaches have increased by 12% compared to the last time DLA Piper compiled the data.

GDPR was introduced in May 2018 in a bid to regulate the way that companies and the public sector store information about their customers. Organisations can face fines of up to €20m or 4% of annual global turnover if they are found to have breached GDPR rules.