Key points:
- Total GDPR fines in 2024 reached €1.2 billion, a 33% decrease from 2023.
- Big tech remains the main target, but other sectors face increased enforcement.
- Regulators pivot to AI and explore personal liability for management.
The seventh annual edition of DLA Piper’s GDPR Fines and Data Breach Survey reveals a dynamic year in European data privacy enforcement. Despite a 33% decline in fines compared to 2023, regulators issued an aggregate €1.2 billion in penalties, signaling sustained momentum in compliance efforts.
Big tech dominance continues:
- Top fines targeted social media and tech giants, including €310 million against LinkedIn and €251 million against Meta by the Irish Data Protection Commission.
- In August 2024, the Dutch Data Protection Authority fined a ride-hailing app €290 million over data transfers to third countries.
Broader sector focus:
- Financial services and energy saw increased scrutiny, such as Spain’s €6.2 million fine against a major bank for security lapses.
- Italy penalized a utility company €5 million for outdated customer data usage.
Shifts in enforcement:
- The UK bucked trends, with few fines in 2024. UK Information Commissioner John Edwards emphasized avoiding litigation-heavy enforcement.
- Regulators in other countries expanded their reach, spotlighting management oversight and governance failings.
The Dutch Data Protection Commission is now investigating potential personal liability for Clearview AI directors following a €30.5 million penalty. This approach may set a precedent for naming and shaming to drive compliance.
Data breaches: Daily breach notifications averaged 363, a slight increase from last year’s 335. Leading countries for breach reports include the Netherlands, Germany, and Poland, with over 75,000 combined notifications in 2024.
AI scrutiny: Enforcement intensified around AI technologies. Regulators emphasized GDPR compliance in AI design and operations, underscoring the importance of integrating privacy principles into emerging technologies.
Ross McKean, Chair of the UK Data, Privacy, and Cybersecurity practice at DLA Piper, remarked, “Regulators are asserting themselves to ensure AI stays within GDPR boundaries.” His full comments can be found in DLA Piper’s official report.
As regulators sharpen their focus on personal liability and AI, 2025 could mark a pivotal year for compliance strategies across sectors.
