Rules Navigator

European GDPR fines down 33% in 2024, but enforcement ‘remains dynamic’

A screen highlighting personal data.
Photo: Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The Irish Data Protection Commission continues to take the lead on GDPR fines in Europe.

The combined total of EU GDPR fines in 2024 totalled €1.2 billion ($1.2 billion), data from DLA Piper shows. That is a 33% decrease on the record total of €2.9 billion ($3 billion) in 2023.

Many of the European data protection authorities have issued several large fines this year. But none as big as the record fine on Meta in 2023 – which explains the big drop in fines this year.

John Magee, Global Co-Chair of DLA Piper’s Data, Privacy and Cybersecurity practice, said that the decreasing numbers are not a sign of a cooling of interest and enforcement by the data regulators in Europe. Especially when it comes to AI.

“From growing enforcement in sectors away from big tech and social media, to the use of the GDPR as an incumbent guardrail for AI enforcement as AI specific regulation falls into place, to significant fines across the likes of Germany, Italy and the Netherlands, and the UK’s shift away from fine-first enforcement – GDPR enforcement remains a dynamic and evolving arena.”

Focus on AI and privacy

The increasing use of AI is already on the mind of many data protection supervisory authorities. Some have made a number of decisions lately which DLA Piper says signals the intent to “closely scrutinise the operation of AI technologies and their alignment with privacy and data protection laws.”

Ross McKean, Chair of the UK Data, Privacy and Cybersecurity practice, said: “European regulators have signalled a more assertive approach to enforcement during 2024 to ensure that AI training, deployment and use remains within the guard rails of the GDPR. We expect for this trend to continue during 2025 as US AI technology comes up against European data protection laws.”

Top three GDPR fines

  1. Ireland – Meta – €1.2 billion ($1.2 billion)
  2. Luxembourg – Amazon – €746m ($790m) This fine is under appeal.
  3. Ireland – Meta – €405m ($425m)

Increasing data breach notifications

As before, the number of data breach notifications keep increasing, with 363 per day during the period January 28, 2024 to January 27, 2025. This was a slight increase compared to 335 during the same period last year.

“This is consistent with the trend we have seen in previous years, and is likely indicative of organisations becoming more wary of reporting data breaches given the risk of investigations, enforcement, fines and compensation claims that may follow notification,” DLA Piper says.

The top three countries with the highest number of data breaches were:

  • The Netherlands – 33,471;
  • Germany – 27,829; and
  • Poland – 14,286.

Dutch fine on Clearview

Another notable fine during the period was against the American company Clearview AI, which had illegally built a database of over 30 billion faces without consent.

Autoriteit Persoonsgegevens, the Dutch Data Protection Authority (DPA), fined the company €30.5m ($33.7m) for “seriously violated privacy law GDPR” on multiple occasions. It said that Clearview AI shouldn’t have built the database, and that it is insufficiently transparent, especially around the biometric codes, which the DPA said are biometric data as much as fingerprints are.

“The clear trend is for more frequent and higher fines as regulators gain confidence and assertiveness.”

DLA Piper

Clearview AI did not stop the violations, and an additional fine of €5m ($5.5m) was issued on top of the €30.5m already levied. The company had also earlier been fined by both the Italian and Greek Data Protection Authorities.

In March 2022, Garante per la protezione dei dati personali fined Clearview AI €20m ($22m) over alleged biometric monitoring techniques of Italian individuals, where it it was found to be both holding and processing biometric and geolocation information illegally. Later in July, the Greek DPA, Hellenic, fined the company €20m ($22m) for violating the principles of lawfulness and transparency regarding GDPR.

Meta €1.2 billion fine

The biggest fine to date was issued in May 2023, when the Irish Data Protection Commission (DPC) slapped a record high fine of €1.2 billion ($1.2 billion) on Meta for breaching multiple articles of EU GDPR when it transferred personal data from the EU/EEA to the US in connection with the delivery of its Facebook service.

The Irish DPC is also the authority that has issued the most GDPR fines, with a total value of €3.5 billion ($3.6 billion), and has issued eight of the top 10 fines to date.

Luxembourg retains second place, and issued fines totalling €746.38m ($767.6m).

“European regulators have signalled a more assertive approach to enforcement during 2024 to ensure that AI training, deployment and use remains within the guard rails of the GDPR.”

Ross McKean, Chair of the UK Data, Privacy and Cybersecurity practice

There is also a big difference in how the supervisory authorities issue fines. Ireland and Luxembourg have issued fewer yet bigger high-profile fines, compared to Italy and Spain who have gone for issuing more but for smaller amounts.

The Information Commissioner’s Office (ICO) in the UK has also taken a different approach, saying it would rather engage with the industry to provide lessons learned instead of issuing financial penalties. ICO Commissioner John Edwards said that he chose the approach to work proactively with senior leaders to encourage data protection compliance, prevent harms before they happen, and learn from events that have gone wrong. “That’s so victims of a data breach are not being punished twice in the form of reduced budgets for vital public services.”

Even though some organizations have welcomed the approach, the report thinks it is unlikely to catch on in the rest of Europe. “The clear trend is for more frequent and higher fines as regulators gain confidence and assertiveness,” DLA Piper concludes.

Total value of fines

The total of €5.88 billion ($6.17 billion) in GDPR fines since May 25, 2018, includes:

  • Ireland – €3,507,481,500
  • Luxembourg – €746,380,875
  • France – €597,439,700
  • Netherlands – €344,614,500
  • Italy – €237,287,260
  • Spain – €116,940,239
  • Germany – €89,099,618
  • UK – €70,194,862
  • Austria – €44,816,915
  • Greece – €36,656,249
  • Sweden – €17,690,000
  • Norway – €13,940,000
  • Czech Republic – €12,123,489
  • Croatia – €9,250,000
  • Poland – €6,919,077
  • Portugal – €6,737,650
  • Hungary €4,170,000
  • Bulgaria – €3,920,000
  • Finland – €3,503,400
  • Lithuania – €2,777,576
  • Romania – €2,086,318
  • Latvia – €1,631,484
  • Belgium – €1,547,772
  • Cyprus – €1,435,850
  • Iceland – €655,062
  • Slovakia – €644,247
  • Malta – €510,500
  • Denmark – €274,855
  • Estonia – €158,972
  • Slovenia – €51,000
  • Liechtenstein – €28,107

Notable, some jurisdictions have not made fines publically available, so some figures are likely to be higher.

, , , , , , , , ,

You may also like