The Irish Data Protection Commission (DPC) continued its dominance in GDPR enforcement, accounting for more than half of the €1.2 billion in data protection fines imposed across Europe in 2024, according to the latest GDPR Fines and Data Breach Survey by legal firm DLA Piper.
The DPC issued some of the largest penalties last year, including a €310 million fine against LinkedIn and a €251 million fine against Meta. Ireland has now issued a total of €3.5 billion in fines since GDPR came into effect in May 2018, significantly outpacing Luxembourg, which ranks second with €746.38 million in fines over the same period.
Decline in Overall Fines
The total fines in 2024 represented a 33% drop compared to the previous year, which had seen a record-breaking €1.2 billion fine imposed on Meta by the DPC in 2023. The absence of similarly high-profile penalties last year contributed to the decline, though experts stress that enforcement efforts remain robust.
John Magee, Partner and Global Co-Chair of the Data, Privacy, and Cybersecurity Group at DLA Piper, dismissed suggestions that the lower total signals a decrease in regulatory activity.
“This couldn’t be further from the truth,” Magee stated. “From growing enforcement in sectors away from big tech and social media to the use of the GDPR as an incumbent guardrail for AI enforcement, GDPR enforcement remains a dynamic and evolving arena.”
Broadening Enforcement
While tech giants and social media companies remain key targets, 2024 saw increased enforcement in other industries, including financial services and energy. The Spanish Data Protection Authority, for instance, imposed two fines totaling €6.2 million against a major bank for inadequate security measures, while Italy’s data regulator fined a utility provider €5 million for using outdated customer information.
Increasing Breach Notifications
The survey also revealed a slight uptick in breach notifications, with an average of 363 reported per day in 2024, up from 335 in the previous year.
Ireland’s Leading Role
Ireland’s position as Europe’s leading GDPR enforcer has been cemented by its proactive stance and high-profile cases, with the DPC responsible for the largest single fine in GDPR history.
Magee highlighted Ireland’s pivotal role, noting that the DPC’s influence extends beyond traditional sectors. “Ireland’s DPC remains at the forefront as Europe’s leading data regulator, setting the standard for GDPR enforcement,” he said.
With GDPR enforcement increasingly intersecting with emerging areas like artificial intelligence, experts predict continued scrutiny and evolving regulatory landscapes in the years ahead.
