GDPR enforcement in 2024 reflects changing landscape in data privacy

The seventh annual DLA Piper survey reveals a notable drop in GDPR fines across Europe, highlighting shifts in enforcement and accountability in the data protection landscape.

The seventh annual edition of DLA Piper’s GDPR Fines and Data Breach Survey has unveiled noteworthy developments in data privacy enforcement, highlighting that a total of EUR1.2 billion (USD1.26 billion/GBP996 million) in fines were imposed across Europe in 2024. This marks a 33% decrease compared to the aggregate fines in the previous year, signalling an unusual annual fluctuation in what has been a consistent upward trend since the General Data Protection Regulation (GDPR) was enforced in May 2018.

Ireland continues to stand out as a leading authority in data privacy enforcement, having issued an impressive EUR3.5 billion (USD3.7 billion/GBP2.91 billion) in fines since the GDPR's inception, which is more than four times the total amount of fines imposed by Luxembourg's Data Protection Authority, amounting to EUR746.38 million (USD784 million/GBP619 million). Since the implementation of GDPR, the cumulative fines across Europe total approximately EUR5.88 billion (USD 6.17 billion/GBP 4.88 billion).

Despite the overall reduction in fines, the year witnessed significant penalties imposed on major tech companies. Most notably, the Irish Data Protection Commission levied fines of EUR310 million (USD326 million/GBP257 million) against LinkedIn and EUR251 million (USD264 million/GBP208 million) against Meta. Additionally, a fine of EUR290 million (USD305 million/GBP241 million) was handed down by the Dutch Data Protection Authority to a prominent ride-hailing service for mishandling personal data transfers.

In a broader context, 2024 saw enforcement efforts expand to additional sectors beyond tech, including financial services and energy. The Spanish Data Protection Authority, for instance, issued two fines totalling EUR6.2 million (USD6.5 million/GBP5.1 million) against a large banking institution for insufficient security practices. Meanwhile, Italy’s Data Protection Authority fined a utility provider EUR5 million (USD5.25 million/GBP4.15 million) for relying on outdated customer information.

Unsurprisingly, the UK emerged as an outlier in 2024, with the minimal issuance of fines. In a statement to the British press in November 2024, UK Information Commissioner John Edwards publicly expressed that he doubts fines have the most beneficial impact, suggesting that they could bog down his office in protracted legal battles—a stance that diverges from the overarching enforcement trends observed in the rest of Europe.

A significant shift in regulatory scrutiny is highlighted by recent enforcement actions focusing on governance and oversight. The Dutch Data Protection Authority is currently investigating the potential for holding the directors of Clearview AI personally liable for various breaches of GDPR regulations. This ongoing investigation follows a notable EUR30.5 million (USD32.03 million/GBP25.32 million) fine against the company, suggesting that regulators are increasingly recognising the importance of personal accountability in ensuring compliance.

Data breach notifications continued to rise slightly, with an average of 363 notifications per day, compared to 335 the previous year. This increase, described as consistent with prior years, indicates a growing trepidation among organisations regarding the implications of reporting breaches, which could lead to investigations and further consequences. The Netherlands, Germany, and Poland still dominate the leaderboard with the highest number of breaches notified under GDPR provisions since May 2018.

Another significant topic raised in the report concerns the strict scrutiny applied to AI technologies, with various enforcement decisions made in 2024 emphasising the need for businesses to embed GDPR compliance into the core design of their AI systems. Ross McKean, Chair of the UK Data, Privacy and Cybersecurity practice, stated, “European regulators have signalled a more assertive approach to enforcement during 2024 to ensure that AI training, deployment and use remains within the guard rails of the GDPR.”

Looking forward, John Magee, Global Co-Chair of DLA Piper’s Data, Privacy and Cybersecurity practice, commented on the survey findings, noting an apparent equilibrium in fine amounts that belies a more vigilant stance by regulators. He stated, “From growing enforcement in sectors away from big tech and social media, to the use of the GDPR as an incumbent guardrail for AI enforcement as AI specific regulation falls into place, GDPR enforcement remains a dynamic and evolving arena.”

Overall, 2024 might be characterised as a pivotal year in which European regulators began shifting towards personal accountability in data compliance, as indicated by McKean’s remark that it was “the year that GDPR enforcement got personal.” The expectation is that 2025 will witness even greater advancements in naming and shaming practices centred around personal liability, contributing to a stronger compliance culture as organisations strive to navigate the complexities of AI and data protection laws.

Source: Noah Wire Services

More on this