This is the seventh edition of the annual DLA Piper report, which provides an excellent summary of trends in the "personal data protection market" and highlights potential threats to Data Controllers.
In 2024, a total of €1.2 billion ($1.26 billion / £996 million) in fines were imposed in Europe. The total fines imposed since the introduction of the GDPR in 2018 now stand at €5.88 billion ($6.17 billion / £4.88 billion). The largest fine ever imposed under the GDPR remains the €1.2 billion ($1.26 billion / £996 million) fine imposed by the Irish DPC [2] on Meta Platforms Ireland Limited in 2023.
In 2024, data protection supervisory authorities in Europe continued their aggressive enforcement of the GDPR, imposing significant fines on data protection violators. After six years of imposing fines reaching hundreds of millions of euros, these authorities now have a stronger foothold and a foundation (in the form of previously upheld fines) to build on.
In 2024, data protection regulators in Europe imposed a total of €1.2 billion ($1.26 billion / £996 million) in fines. This represents a 33% decrease compared to the total fines imposed in 2023 [in 2023, the total fines imposed were €1.78 billion ($1.87 billion / £1.48 billion)].
This decline is partly due to the fact that the 2023 figures were distorted by the record fine imposed by the Irish data protection authority on Meta (€1.2 billion). No supervisory authority has broken or come close to this record in 2024.
As in previous years, the largest fines were imposed on tech giants and social media companies – nine of the ten highest fines were against companies in this sector.
This year
The Irish Data Protection Commission fined LinkedIn €310 million ($326 million/£257 million) and Meta €251 million ($264 million/£208 million) ;
The Dutch Data Protection Authority has fined a popular ride-hailing app €290 million ($305 million/£241 million) for transferring personal data to a third country;
Enforcement in 2024 has also expanded significantly to other sectors, including financial services and energy:
The Spanish Data Protection Authority has imposed two fines totalling €6.2 million ($6.5 million/£5.1 million) on a major banking institution for insufficient security measures;
The Italian Data Protection Authority has fined a service provider €5 million ($5.25 million / £4.15 million) for using outdated customer data.
The UK was an exception in 2024, imposing very few fines. The UK's supervisory authority's commissioner, John Edwards, quoted by the British press in November 2024 [3] , said he disagreed with the whatsapp number list view that fines have the greatest impact on data controllers. He pointed out that appeals against fines can take years and consume valuable supervisory authority resources. Successful appeals by controllers or reductions in fines can weaken enforcement and deterrence, as well as undermine the confidence and effectiveness of investigation and enforcement teams within data protection authorities. An alternative approach is to impose smaller fines more frequently, which is the preference of authorities in the countries mentioned above, such as Italy and Spain.
Number of data breach reports
The average number of data breach notifications per day increased slightly to 363 from 335 last year, indicating some stabilization in the number of reports.
According to a DLA Piper study, from the entry into force of the GDPR on May 25, 2018, to January 27, 2025, there have been no major changes in the top countries reporting the most breaches to supervisory authorities – the Netherlands, Germany and Poland remain on the podium with 33,471, 27,829 and 14,286 reports, respectively.
[4] Top 10 countries with the highest total number of personal data breach notifications between May 25, 2018 and January 27, 2025 inclusive.
Table of total fines at country level
There is no change at the top of the table for total fines imposed to date – Ireland continues to hold the top spot, with fines now totalling €3.5 billion ($3.7 billion/£2.9 billion). The Irish Data Protection Authority (DPC) has issued eight of the ten highest fines to date. As predicted in last year's report, given Ireland's popularity as a home to many social media and data-driven technology companies, and the fact that the DPC is often the lead supervisory authority for cross-border data processing across the EU, it is no surprise that Ireland has retained its top spot in the table for fines imposed this year.
Luxembourg continues to rank second in the table of countries with total fines of €746.38 million ($784 million/£619 million), mainly due to a large fine imposed in 2021 on a US online retailer and e-commerce platform (a €746 million fine that is still under appeal).
[5] Total value of fines imposed under the GDPR from May 25, 2018 to January 27, 2025 (in euros)
Key Decision – Clearview AI
Interesting aspects of personal data protection were raised in a recent decision by the Dutch Data Protection Authority. In September 2024, the Dutch Data Protection Authority (DPA) imposed a fine of €30.5 million ($32.03 million / £25.32 million) on facial recognition software provider Clearview AI.
Clearview AI collected facial images and data from publicly available information on the internet and social media platforms worldwide, creating a global facial recognition database. The individuals whose data was being used in this way were not informed, and the database itself contained a vast amount of data.
Following a series of complaints from privacy activists since May 2021, several supervisory authorities have imposed fines on Clearview AI for GDPR violations. Despite these fines, Clearview AI continued to operate in the same manner. Consequently, the Dutch DPA decided to impose additional fines of up to €5.1 million ($5.4 million/£4.2 million) for further non-compliance, citing that the company had not ceased the violations after the proceedings were concluded. Furthermore, the DPA stated that it was conducting an investigation to determine whether it could " hold the company's management personally liable and impose fines on them for liability for the violations [6] ." The Dutch DPA explained that "such liability already exists where directors know that the provisions of the GDPR are being violated, have the power and tools to prevent it, but fail to do so by knowingly accepting these violations."