The latest edition of DLA Piper’s GDPR Fines and Data Breach Survey has once again highlighted the evolving landscape of data privacy enforcement in Europe. In 2024, regulators across the continent imposed a total of €1.2 billion in fines, bringing the cumulative total since the introduction of GDPR in 2018 to a whopping €5.88 billion. While this year’s fines represent a 33% decrease from 2023, the long-term trend continues to show an increase in enforcement activity.

Ireland is still the leading enforcer…

Since the GDPR came into effect in 2018, Ireland has remained the most active regulator, issuing an incredible €3.5 billion in fines. This is more than four times the amount imposed by Luxembourg, the second-highest enforcer, which has issued €746.38 million in fines during the same period. To be fair, Ireland’s dominance is mostly due to its jurisdiction over major tech companies headquartered in the country.

…and big tech is still a target 

Major technology and social media companies continue to be the primary focus of GDPR enforcement. This year alone, the Irish Data Protection Commission (DPC) fined LinkedIn €310 million and Meta €251 million. In August, the Dutch Data Protection Authority imposed a €290 million fine on Uber for improper data transfers to a third country.

This past year also saw increased enforcement in other industries, such as financial services and energy. For instance, the Spanish Data Protection Authority levied two fines totaling €6.2 million against a major bank for inadequate security measures. Similarly, the Italian Data Protection Authority fined a utility provider €5 million for using outdated customer data.

UK’s approach

In a departure from the European trend, the UK imposed significantly fewer fines in 2024. UK Information Commissioner John Edwards suggested that fines may not be the most effective enforcement tool, as they often lead to prolonged litigation. This approach is unlikely to be adopted widely across the rest of Europe.

Getting personal?

One of the most striking developments in GDPR enforcement this year has been the increased focus on holding company executives personally accountable for compliance failures. The Dutch Data Protection Authority is investigating whether the directors of Clearview AI can be personally liable for repeated violations, following a €30.5 million fine against the company. If successful, this move could mark a significant shift in regulatory strategy, forcing top executives to take a more hands-on approach to data protection.

“For me, I will mostly remember 2024 as the year that GDPR enforcement got personal.,” stated Ross McKean, Chair of DLA Piper’s UK Data, Privacy, and Cybersecurity practice. 

Small rise in data breach notifications 

The number of daily breach notifications rose slightly from 335 to 363, suggesting that companies remain cautious about reporting incidents due to potential investigations and financial penalties. The Netherlands, Germany, and Poland continue to lead in the number of reported data breaches, with 33,471, 27,829, and 14,286 notifications respectively in the past year.

All eyes on AI 

Regulators are increasingly turning their attention to AI and its compliance with GDPR. European authorities have signaled a commitment to ensuring that AI technologies adhere to data protection laws. As AI regulation continues to develop, businesses must integrate GDPR compliance into the design and operation of their AI systems to avoid enforcement actions.

A look ahead

Several key trends are likely to shape GDPR enforcement in 2025:

• Continued scrutiny of big tech with significant fines expected against major firms
• Greater attention to non-tech sectors, including financial services, healthcare, and energy
• Personal liability for executives could become a new enforcement tool, leading to direct accountability for compliance failures
• Increased AI regulation, as European regulators set stricter guardrails for AI development and deployment

If these trends continues, next year could see even more emphasis on personal liability and governance as key factors in GDPR compliance.