Complexity and scale of GDPR enforcement persists as expensive and uncertain thorn in the side of the data economy as aggregate historic fines close in on EUR 5 billion.
The 2024 edition of global law firm DLA Piper’s annual GDPR and Data Breach Survey also reveals total fines issued for a wide range of GDPR infringements and the league table of fines issued by country since 28 January 2023. The survey covers all 27 Member States of the European Union, plus the UK, Norway, Iceland and Liechtenstein.
- Ireland continues in pole position this year with the highest aggregate GDPR fines issued since 25 May 2018, with the total value of GDPR fines imposed in Ireland now EUR 2.86 billion.
- Ireland also takes the top spot for the largest ever fine imposed, with a EUR 1.2 billion fine issued against Meta this year.
- This year supervisory authorities across Europe have issued a total of EUR 1.78 billion in fines since 28 January 2023, which is an increase of 14.10% on the total of EUR 1.56 billion issued in the year from 28 January 2022.
- Social media and big tech remain the primary target for record fines across the countries surveyed with each of the top ten largest fines issued since 25 May 2018 being imposed on businesses in this sector.
- Allowing for the margin of error there has been no change in the number of breach notifications made – with an average of 335 breach notifications per day from 28 January 2023 to 27 January 2024 compared to 328 during the same period last year.**
Global law firm DLA Piper has published the findings of its annual GDPR and Data Breach Survey***:
Ireland continues in pole position this year with the highest aggregate GDPR fines issued since 25 May 2018 and also takes the top spot for the largest ever fine imposed, relegating Luxembourg to second place. The total value of GDPR fines imposed in Ireland is now EUR 2.86 billion. As Ireland is a popular location for technology companies to set up their main establishment in the EU, it is not surprising that it has rocketed to the top spot of the country league table for the aggregate value of fines imposed.
The GDPR restrictions on the transfer of personal data to third countries remain an enforcement priority for European supervisory authorities, with a EUR 1.2 billion fine issued against Meta in Ireland, the highest fine ever imposed, being the standout - but also multiple enforcement actions by regulators across the EU for alleged illegal transfers of personal data.
This year supervisory authorities across Europe have issued a total EUR 1.78 billion in fines since 28 January 2023, which is an increase of 14.10% on the total of EUR 1.56 billion issued in the year from 28 January 2022. This is a much smaller increase than the 50% reported last year, which has mainly been driven by a number of successful appeals in various jurisdictions, which have seen fines reduced or in some cases completely overturned, as well as fewer fines issued by European data protection authorities following opinions and binding decisions of the European Data Protection Board under the GDPR consistency mechanism.
Social media and big tech remain the primary target for record fines across the countries surveyed with each of the top ten largest fines issued since 25 May 2018 being imposed on businesses in this sector. This year has seen the battle rage over the “grand bargain”, which has enabled service providers to fund the development of progressive consumer services in exchange for monetising their data since the earliest days of the internet. That bargain is now under sustained attack by European supervisory authorities and Europe’s highest court, the CJEU, and plans by some service providers to move to a “pay or okay” model are set for a bumpy ride with regulators and privacy activists.
Failure to comply with the core GDPR principles continue to be the most frequently cited justification for fines across the jurisdictions surveyed and failures to comply with the lawfulness, fairness and transparency principle remain the top enforcement priority. Fines resulting from breach of the integrity and confidentiality principle - and the related Article 32 – security of processing – also continue to feature across all jurisdictions surveyed.
Continuing the trend of the last couple of years, on average there were 335 breach notifications per day from 28 January 2023 to 27 January 2024 compared to 328 during the same period last year. Allowing for the margin of error, there is effectively no year-on-year change in the number of breach notifications made. Germany, the Netherlands, and Poland have reported the highest number of data breaches notified from 28 January 2023 to 27 January 2024, with 32,030, 20,235 and 14,167 respectively. Denmark is at the top of the table for the number of breach notifications made per 100,000 capita.
About DLA Piper
DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Americas, Europe, the Middle East, Africa and Asia Pacific, positioning us to help clients with their legal needs around the world.
Stephanie Leclercq, DLA Piper, Luxembourg, [email protected]
** Not all the countries covered by this report make breach notification statistics publicly available and many provided data for only part of the period covered by this report. We have, therefore, had to extrapolate the data to cover the full period. It is also possible that some of the breaches reported relate to the regime before GDPR. As a number of data protection supervisory authorities have now issued annual reports for 2023, some figures in last year’s report that were previously extrapolated have been updated in this report.
*** The survey takes a look at key GDPR metrics EEA and the UK since GDPR first applied on 25 May 2018 and for the year commencing 28 January 2023. The EEA includes all 27 Member States of the European Union plus Norway, Iceland and Liechtenstein. The UK left the EU on 31 January 2020. The UK has implemented GDPR into law in each of the jurisdictions within the UK (England, Northern Ireland, Scotland and Wales). As at the date of this survey the UK GDPR is the same in all material respects as the EU GDPR. That said, the UK Government is proposing to legislate changes to UK data protection laws and has published the Data Protection and Digital Information Bill. It remains to be seen the extent to which these changes will deviate from the EU GDPR.