Regulatory fines for data breaches under the General Data Protection Regulation increased 39% in Europe during the past year to €158.5 million ($192.5 million), according to new research from law firm DLA Piper LLP.

The company said regulators “tested their powers” under the GDPR in 2020 after a slow start during the regulation’s first 20 months when fines totaled €114 million.

Total fines levied since the GDPR was introduced in May 2018 now stand at €272 million, with five country regulators accounting for more than 92% of the total, according to DLA Piper.

Italy has imposed the highest fines at €69.3 million, followed by Germany at €69.1 million and France at €54.4 million. The UK has imposed €44.2 million of fines and Spain €14.5 million. The French data protection regulator CNIL has levied the largest GDPR fine to date, of €50 million against Google LLC.

The report says there were 281,000 data breaches notified to European regulators under the GDPR by the end of January 2021. Germany has the most at 77,747, followed by the Netherlands at 66,527 and the U.K. at 30,536. France and Italy recorded just 5,389 and 3,460 data breach notifications, respectively.

DLA Piper said that while regulators are flexing their new muscle under the GDPR, they have also had several cases appealed or fines reduced.

Last month, Austria’s postal service successfully appealed an €18 million data breach fine. While in the U.K., the Information Commissioner’s Office reduced a record fine of £183 million ($251.1 million) against British Airways (BA) to £20m. It also slashed a proposed fine of £100m against hotel chain Marriott International to just over £18m.

Legal arguments against fines are likely to continue, said the law firm.

Ewa Kurowska-Tober, global co-chair of DLA Piper’s data protection and security group, said: “Regulators have been testing the limits of their powers this year, issuing fines for a wide variety of infringements of Europe’s tough data protection laws. But they certainly haven’t had things all their own way, with some notable successful appeals and large reductions in proposed fines. Given the large sums involved and the risk of follow-on claims for compensation, we expect to see the trend of more appeals and more robust defenses of enforcement action continue.”

Ross McKean, chair of DLA Piper’s UK data protection and security group, added: “Fines and breach notifications continue their double-digit annual growth and European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR, setting the scene for heated legal battles in the years ahead.”

Mr. McKean said DLA Piper now expects the first enforcement actions regarding transfers of personal data to the U.S. and other third-party countries following the Schrems II case. In July last year, the European Court of Justice ruled against the Privacy Shield agreement that allows EU consumer data held by tech firms and other businesses to be transferred to the U.S.