In 2024, European data protection regulators imposed a total of €1.2 billion in fines, according to DLA Piper’s latest “GDPR Fines and Data Breach Survey.” While this represents a 33% decrease compared to 2023, legal experts caution that the drop does not indicate a relaxation in regulatory enforcement. The decline is attributed to the absence of record-breaking fines, such as the €1.2 billion penalty imposed on Meta in 2023 for GDPR violations.
Since the introduction of the GDPR in May 2018, European regulators have issued fines amounting to €5.88 billion. Ireland leads in enforcement, accounting for €3.5 billion in fines—more than four times the amount imposed by Luxembourg, which ranks second. The largest fines have primarily targeted tech and social media companies, with nine of the ten highest penalties issued to firms in this sector.
Regulatory Activity Remains High
“Despite the lack of record-breaking fines last year, regulatory activity across Europe remains vigorous,” said Ewa Kurowska-Tober, Head of the Intellectual Property and Technology (IPT) practice at DLA Piper’s Warsaw office.
“There’s a growing confidence among regulators to impose substantial penalties. Large American corporations in the tech and social media sectors continue to be primary targets. However, in 2024, regulators also turned their focus toward the financial and energy sectors,” she added.
The largest fine of 2024 was imposed by the Irish Data Protection Commission: €310 million on LinkedIn for GDPR violations related to the legality, fairness, and transparency of data processing. Meta faced another penalty, this time amounting to €251 million, while the Dutch data authority fined a prominent ride-sharing company €290 million for transferring drivers’ personal data outside the EU.
Other sectors also saw heightened regulatory scrutiny. Spain’s data protection authority fined a major bank €6.2 million for insufficient security measures, while Italy issued a €5 million fine to an energy provider for using outdated customer data. In Poland, the President of the Personal Data Protection Office imposed a €4 million fine on a leading bank for failing to notify affected individuals of a data breach.
Poland Among Leaders in Data Breach Reports
The number of data breach notifications across Europe rose in 2024, with an average of 363 reports per day, compared to 335 the previous year. Poland, alongside the Netherlands and Germany, ranked among the top countries for reported breaches.
- Netherlands: 33,471 breaches
- Germany: 27,829 breaches
- Poland: 14,286 breaches
“This increase reflects companies’ growing diligence in reporting breaches due to the risks of regulatory investigations, financial penalties, and compensation claims,” commented Piotr Czulak, Senior Associate at DLA Piper in Poland.
Emerging Trends: Personal Accountability for GDPR Violations
DLA Piper’s experts highlighted significant shifts in regulatory enforcement. One notable trend is the increasing focus on personal accountability for GDPR violations. The Dutch Data Protection Authority initiated proceedings to hold the board members of Clearview AI personally accountable after the company was fined €30.5 million for GDPR violations related to facial recognition technology.
“This marks a new standard for accountability. For the first time, regulators are considering personal liability for executives knowingly tolerating violations. It’s a wake-up call for managers who do not take GDPR compliance seriously,” emphasized Ewa Kurowska-Tober.
Key Takeaways
- Total GDPR fines in 2024: €1.2 billion (down 33% year-on-year).
- Largest fine: €310 million imposed on LinkedIn by Ireland.
- €5.88 billion in total fines since GDPR implementation in 2018.
- Poland among leaders in breach notifications with 14,286 reports.
- Emerging trend: Personal liability for executives in GDPR violations.
The report by DLA Piper covered the 27 EU member states, as well as the UK, Norway, Iceland, and Liechtenstein.
Source: CEO.com.pl
