GDPR fines across Europe total €1.2 billion in 2024, according to DLA Piper

The seventh edition of DLA Piper‘s GDPR Fines and Data Breach Survey highlights another significant year in data protection enforcement. Total fines issued in 2024 amounted to €1.2 billion, bringing the cumulative value of penalties under the GDPR to €5.88 billion since its implementation in May 2018.

Ireland continues to lead enforcement efforts with €3.5 billion in fines imposed since 2018. The largest single GDPR fine remains the €1.2 billion penalty against Meta Platforms Ireland Limited in 2023, a record-breaking sanction that has yet to be surpassed.

Trends and Key Insights

The study notes a 33% reduction in fines compared to the previous year, breaking the seven-year trend of increasing enforcement. However, this decline is largely attributed to the absence of a record-setting penalty comparable to the 2023 fine against Meta.

Technology giants and social media companies remain primary targets for high-value fines. Almost all of the ten largest fines since 2018 have involved the tech sector, including the €310 million fine against LinkedIn and the €251 million fine against Meta, both issued by the Irish Data Protection Commission in 2024.

In 2024, GDPR enforcement expanded into other industries, including financial services and energy. Notable cases include:

  • Spain: Fines totaling €6.2 million imposed on a major bank for inadequate security measures.
  • Italy: A €5 million fine against an energy provider for using outdated customer data.

Germany also remains a key player in GDPR enforcement, with cumulative fines amounting to €89.1 million since 2018. German authorities focus particularly on violations involving data integrity, confidentiality, and security.

Dr. Jan Geert Meents (pictured), Partner in DLA Piper’s Intellectual Property & Technology (IPT) group in Germany, comments: “This year’s results demonstrate that European data protection authorities continue to maintain a clear enforcement trajectory. The overall reduction in fine totals is due to extraordinary events in the previous year and does not signify a decrease in regulatory activity. GDPR remains a robust tool for ensuring data protection and compliance, particularly in Germany.”

Focus on personal liability

A growing emphasis on governance and oversight has led to cases where corporate leadership has been scrutinized for failures in compliance. For instance, the Dutch Data Protection Authority is investigating whether the executives of Clearview AI can be held personally liable for GDPR violations following a €30.5 million fine imposed on the company.

Verena Grentzenberg, a Partner in DLA Piper’s IPT group in Germany, highlights: “The increasing focus on personal liability for executives marks a new phase in GDPR enforcement. It sends a strong message to companies that data protection violations will have serious consequences – including at the individual level.”

Data breach notifications

The average number of daily reported data breaches rose slightly in 2024, from 335 to 363. This modest increase reflects companies’ growing caution in reporting breaches, driven by the risk of regulatory investigations, fines, and potential damage claims.

The countries with the highest reported data breaches since GDPR’s inception remain unchanged:

  • Netherlands: 33,471 reported breaches.
  • Germany: 27,829.
  • Poland: 14,286.

Jan Pohle, another IPT Partner specializing in data protection, concludes: “Although this year’s survey does not reveal new record fines, it does not indicate diminished interest or activity from European data protection authorities. On the contrary, enforcement continues to evolve, with increased regulation in sectors beyond Big Tech and social media. GDPR is also increasingly setting the benchmark for emerging areas such as AI regulation and privacy compliance in AI applications.”

michela.cannovale@lcpublishinggroup.com

SHARE