General Data Protection Regulation (GDPR) , Standards, Regulations & Compliance

Total Fines Imposed by EU Privacy Regulators Dropped in 2024

A global law firm is warning companies with European business not to be too excited about a year-over-year decrease in fines assessed by privacy regulators.

See Also: Outcome-Driven Metrics Win Board Support

A one-third decrease in the 2024 total of 1.2 billion euros compared to the year before marks the first time in the seven-year history of General Data Protection Regulation enforcement that the annual total has gone down. Global law firm DLA Piper says that reduction is almost entirely attributable to a 2023 spike caused by the Irish Data Protection Commission's imposition of a 1.2 billion euro fine against Facebook (see: Facebook Ordered to Suspend Data Transfers to US From Europe).

The year-on-year decrease of roughly 600 million euros "does not represent a shift in focus from personal data enforcement; the clear year on year trend remains upwards," DLA Piper wrote.

The total, which amounts to $1.23 billion, comes from actions publicly disclosed by data protection authorities. It does not include amounts that have been successfully appealed. Neither does it include fines not disclosed by GDPR enforcers, since some authorities don't publicly reveal their enforcement actions.

U.S. tech firms and social media giants are recipients of regulators' largest fines, accounting for nine of the 10 largest fines imposed since 2018, the report says. Many of those fines continue to get issued in Ireland, where many Silicon Valley tech giants have located their European headquarters.

Last year's biggest fines included Ireland's Data Protection Commission fining LinkedIn 310 million euros for mishandling customer data, and fining Meta 251 million euros over its "view as" flaw.

The Dutch Data Protection Authority in 2024 imposed two of its largest fines to date: 290 million euros against Uber for transferring customer data to the United States without permission, and a fine of 30.5 million euros against Clearview AI for multiple privacy violations, including facial data harvesting. Four other European countries also imposed lower fines for the same behavior.

Since the GDPR came into force on May 25, 2018, the total number of data breach notifications issued by organizations across Europe has gone up, although the trend line indicates a recent tapering.

On a daily basis, organizations last year issued an average of 363 data breach notifications, compared to 335 per day in 2023, which may reflect organizations "becoming more wary of reporting data breaches given the risk of investigations, enforcement, fines and compensation claims that may follow notification," DLA Piper said.

The figure also stands in stark contrast to the United States, where organizations last year only collectively reported nine data compromises per day, which suggests the true scale of America's data breach problem is being underreported (see: Mega-Breaches Bump Up 2024 Victim Count).

"We see GDPR supervision evolving and adapting, and also covering sectors beyond large technology companies," said Gustav Lundin, a partner at DLA Piper in Sweden. The Dutch DPA, for example, is exploring whether Clearview AI's management team can be held personally liable for violating GDPR, he said.

The report also says that "European regulators have signaled a more assertive approach to enforcement during 2024 to ensure that AI training, deployment and use remain within the guardrails of the GDPR."

Some jurisdictions - including Italy and Spain - have been imposing fines against a much broader range of sectors, including financial services, and sometimes levying relatively small amounts compared to data protection authorities in other countries, the report finds.

The Spanish Data Protection Authority fined a major bank 6.2 million euros for poor security, while the Office of the Polish Data Protection Commissioner fined mBank 950,000 euros after it suffered a data breach and failed to notify customers, despite being told by the regulator to do so.

Utilities are also seeing more enforcement actions. The Italian Data Protection Authority last year fined electricity and gas supplier Hera Comm 5 million euros for making "unsolicited contracts" with consumers, compounded by it using "inaccurate and out-of-date personal data."

Separately, Sweden's data protection authority, the IMY, imposed a 3.2 million euro fine against a pharmaceutical retailer Apoteket, for its use of Meta Pixel - formerly Facebook Pixel - for marketing purposes.

Enforcement Outlier: United Kingdom

One outlier last year was the United Kingdom, where the Information Commissioner's Office issued relatively few fines, compared to previous years. The British government codified the GDPR into domestic law before leaving the European Union in early 2020.

U.K. Information Commissioner John Edwards signaled this direction of travel, in an interview with The Times of London last November.

"I don't believe that the quantum or volume of fines is a proxy for impact," he said. "You know, they get a lot of headlines. It's easy to compile league tables but I actually don't believe that that approach is necessarily the one that has the greatest impact."

DLA Piper said it's unlikely European data protection authorities will undertake an Edwardian approach. Some companies would undoubtedly approve, but "it seems unlikely that this approach will catch on in the rest of Europe," DLA Piper said.