DLA Piper GDPR Fines and Data Breach Survey: January 2024

The 2024 edition of DLA Piper’s GDPR and Data Breach Survey has revealed another record year for GDPR enforcement. Supervisory authorities across Europe have issued a total of EUR1.78 billion (USD1.94billion/GBP1.55 billion) in fines since 28 January 2023, which is an increase of over 14% on the total issued in the year from 28 January 2022.

Ireland continues in pole position this year with the highest aggregate GDPR fines issued since 25 May 2018 and also takes the top spot for the largest ever fine imposed, with a EUR1.2 billion (USD1.31 billion/GBP1.04 billion) fine issued against Meta this year, relegating Luxembourg to second place. The total value of GDPR fines imposed in Ireland is now EUR2.86 billion (USD3.12 billion /GBP2.49 billion). As Ireland is a popular location for technology companies to set up their main establishment in the EU, it is not surprising that it has rocketed to the top spot of the country league table with social media and big tech as the primary target for record fines across the country.

Commenting on the survey findings, John Magee, Partner and Chair of Data, Privacy and Cybersecurity at DLA Piper in Dublin, commented on the report:

“The Irish Data Protection Commission continued to play a central role in shaping GDPR interpretations this year, notably with key decisions and fines on issues ranging from transparency and data transfer to information security and children’s privacy. As Commissioner Helen Dixon steps down after a decade, her legacy of firm but fair leadership sets the stage for a new panel of commissioners at the DPC who will continue to face complex challenges under the watchful eye of the EDPB. While some key regulatory decisions have been reached, many remain under appeal through both the Irish and EU courts – leading to an unresolved legal landscape post-GDPR. For businesses navigating this evolving data protection framework, balancing strategic adaptability with operational efficiency remains a challenging tightrope to walk.”

Social media and big tech remain the primary target for record fines across the countries surveyed with each of the top ten largest fines issued since 25 May 2018 being imposed on businesses in this sector.

Failure to comply with the core GDPR principles continues to be the most frequently cited justification for fines across the jurisdictions surveyed and failures to comply with the lawfulness, fairness and transparency principle remain the top enforcement priority. Fines resulting from breach of the integrity and confidentiality principle - and the related Article 32 – security of processing – also continue to feature across all jurisdictions surveyed.

Continuing the trend of the last couple of years, on average there were 335 breach notifications per day from 28 January 2023 to 27 January 2024 compared to 328 during the same period last year. Allowing for the margin of error, there is effectively no year-on-year change in the number of breach notifications made. Germany, the Netherlands, and Poland have reported the highest number of data breaches notified from 28 January 2023 to 27 January 2024, with 32,030, 20,235 and 14,167 respectively. Denmark is at the top of the table for the number of breach notifications made per 100,000 capita.

Adding to this years’ survey findings, Ross McKean, Chair of the UK Data Protection and Cybersecurity Group said:

“Legal uncertainty is set to continue under GDPR. For social media and big tech in particular, record breaking fines and orders to suspend illegal processing are an ever present danger; they are in effect a ‘data tax’ when doing business in Europe. There are also many new and proposed laws and regulations applying to data and the digital world. Governance and effective risk management are essential for organisations to be able to tackle legal complexity and compliance risk, and to ensure business continuity.”