Newsletter
Subscribe
Subscribe

DPC responsible for issuing more than half of €1.2bn GDPR fines in 2024

GDPR
/ 21st January 2025 /
George Morahan

A total of €1.2bn in fines for GDPR breaches were issued across Europe last year, law firm DLA Piper has found in its seventh annual GDPR fines and data breach survey.

The Data Protection Commission issued fines worth more than half of the 2024 total, including fines of €310m and €251m against LinkedIn and Meta, respectively.

The Irish regulator has issued fines of €3.5bn since GDPR came into force in May 2018, which is more than four times the €746.4m in fines issued by the Luxembourg Data Protection Authority in second place and nearly 60% of the €5.9bn total.

The largest-ever fine imposed under the GDPR remains the €1.2bn penalty issued by the DPC to Meta in 2023.

The €1.2bn in fines imposed under GDPR last year represented a 33% decrease compared to 2023, ending a seven-year trend of increasing enforcement.

Business Bulletin

The reduction was almost entirely due to the fact there was no fine of comparable value to Meta's 2023 fine.

Tech and social media giants are the primary targets of the fines, accounting for nearly all of the top 10 fines since 2018.

In August, the Dutch Data Protection Authority issued a €290m fine against Uber for its transfers of personal data to a third country. 

Elsewhere, the Spanish Data Protection Authority issued two fines totaling €6.2m against a large bank for inadequate security measures, and the Italian Data Protection Authority fined a utility provider €5m for using outdated customer data.

DLA Piper said that a focus on governance and oversight has led to a number of enforcement decisions citing failings in these areas and specifically calling out failings of management bodies.

The Dutch Data Protection Commission announced it is investigating whether it can hold the directors of Clearview AI personally liable for numerous breaches of the GDPR, following a €30.5m judgment against the company.

The investigation into the possibility of holding Clearview AI's management personally liable for continued failings signals "a potentially significant shift in focus by regulators who recognise the power of personal liability to focus minds and drive better compliance."

The average number of breach notifications per day increased slightly to 363 from 335 last year in a leveling off consistent with previous years, as organisations become warier of reporting breaches given the risk of investigations, enforcement, fines, and compensation claims.

The Netherlands, Germany, and Poland remain the top three countries for the highest number of data breaches notified, with 33,471, 27,829 and 14,286 breaches notified respectively. 

"The headline figures in this year's survey have, for the first time ever, not broken any records so you may be forgiven for assuming a cooling of interest and enforcement by Europe's data regulators. This couldn't be further from the truth," said John Magee, partner and global co-chair for DLA Piper's data, privacy and cybersecurity group.

GDPR
No fine in 2024 topped the €1.2bn Meta was fined by the DPC in 2023. (Pic: Artur Widak/NurPhoto via Getty Images)

"From growing enforcement in sectors away from big tech and social media to the use of the GDPR as an incumbent guardrail for AI enforcement as AI specific regulation falls into place, and supervisory authorities looking to impose personal liability on company directors – GDPR enforcement remains a dynamic and evolving arena with Ireland's DPC remaining at the forefront as Europe's leading data regulator."

Sign up to The Business Plus Panel to help shape the business decisions of tomorrow and win vouchers for your opinions! 
chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram