The seventh annual edition of DLA Piper’s GDPR Fines and Data Breach Survey has revealed another significant year in data privacy enforcement, with an aggregate total of EUR1.2 billion in fines issued across Europe in 2024.
The Irish Data Protection Commission (DPC) issued fines of EUR310M against LinkedIn and EUR251M against Meta in 2024 and is responsible for enforcing more than half of the total EUR1.2 billion in European GDPR fines in 2024.
Ireland once again remains the preeminent enforcer issuing EUR3.5 billion in fines since May 2018, more than four times the value of fines issued by the second place Luxembourg Data Protection Authority which has issued EUR746.38M in fines over the same period.
The total fines reported since the application of GDPR in 2018 now stand at EUR5.88 billion.
The largest fine ever imposed under the GDPR remains the EUR1.2 billion penalty issued by the Irish DPC against Meta Platforms Ireland Limited in 2023.
In the year from 28 January 2024, EUR1.2 billion fines were imposed. This was a 33% decrease compared to the aggregate fines imposed in the previous year, bucking the 7-year trend of increasing enforcement. This does not represent a shift in focus from personal data enforcement; the clear year-on-year trend remains upwards. This year’s reduction is almost entirely due to the record-breaking EUR 1.2 billion fine against Meta falling in 2023, which skewed the 2023 figures. There was no record-breaking fine in 2024.
Big tech companies and social media giants continue to be the primary targets for record fines, with nearly all of the top ten largest fines since 2018 imposed on this sector. This year alone, in August 2024, the Dutch Data Protection Authority issued a fine of EUR290M against a well-known ride-hailing app in relation to transfers of personal data to a third country.
2024 enforcement expanded notably in other sectors, including financial services and energy. For example, the Spanish Data Protection Authority issued two fines totalling EUR6.2M against a large bank for inadequate security measures, and the Italian Data Protection Authority fined a utility provider EUR5 million for using outdated customer data.
The UK was an outlier in 2024, issuing very few fines. Notably, the UK Information Commissioner John Edwards was quoted in the British press in November 2024 as saying that he does not agree that fines are likely to have the greatest impact and that they would tie his office up in years of litigation.
Perhaps most significantly, a focus on governance and oversight has led to a number of enforcement decisions citing failings in these areas and specifically calling out failings of management bodies. Most notably, the Dutch Data Protection Commission announced it is investigating whether it can hold the directors of Clearview AI personally liable for numerous breaches of the GDPR, following a EUR30.5 million against the company.
This novel investigation into the possibility of holding Clearview AI’s management personally liable for continued failings of the company signals a potentially significant shift in focus by regulators who recognise the power of personal liability to focus minds and drive better compliance.
The average number of breach notifications per day increased slightly to 363 from 335 last year, a ‘levelling off’ consistent with previous years, likely indicative of organisations becoming more wary of reporting data breaches given the risk of investigations, enforcement, fines and compensation claims that may follow notification.
A recurring theme of DLA Piper’s previous annual surveys is that there has been little change at the top of the tables regarding the total number of data breach notifications made since the GDPR came into force on 25 May 2018 and during the most recent full year from 28 January 2024 to 27 January 2025. The Netherlands, Germany, and Poland remain the top three countries for the highest number of data breaches notified, with 33,471, 27,829 and 14,286 breaches notified respectively.
John Magee, Partner and Global Co-Chair of Data, Privacy and Cybersecurity Group, commented on the report:
“The headline figures in this year’s survey have, for the first time ever, not broken any records so you may be forgiven for assuming a cooling of interest and enforcement by Europe’s data regulators. This couldn’t be further from the truth.
From growing enforcement in sectors away from big tech and social media to the use of the GDPR as an incumbent guardrail for AI enforcement as AI-specific regulation falls into place and supervisory authorities looking to impose personal liability on company directors – GDPR enforcement remains a dynamic and evolving arena with Ireland’s DPC remaining at the forefront as Europe’s leading data regulator.”
Participants from Women’s Collective Ireland (WCI), Ronanstown, along with 319 Transition Year (TY) students from…
NovaUCD and CeADAR today announced that they are seeking applications from Irish-based AI start-ups to…
Researchers created a large, complex, two-dimensional “time crystal” on an IBM Quantum Heron r2 chip,…
The European Marine Energy Centre (EMEC) has commenced an 18 month project to advance its…
Minister of State at the Department of Justice with special responsibility for Migration, and Dublin…
Ireland’s MedTech sector is one of the country’s standout success stories. Ireland is home to…
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at Simon@IrishTechNews.ie now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at Info@IrishTechNews.ie now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.