We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.


DPC again leads the way in GDPR fines
Pic: Shutterstock
21 Jan 2025 data law Print

DPC again leads the way in GDPR fines

Ireland’s data-protection watchdog was responsible for more than half of the €1.2 billion fines handed out across Europe last year for breaches of the GDPR rules on data privacy, according to figures published today (21 January).

Law firm DLA Piper says that the European figure represents a 33% drop compared with the previous year, bucking a seven-year trend of increases.

The firm’s GDPR Fines and Data Breach Survey points out, however, that the 2024 reduction is almost entirely due to a record-breaking €1.2 billion fine against Meta in 2023, which skewed that year’s figures.

DLA Piper’s figures show that Ireland has issued GDPR-linked fines totalling €3.5 billion since May 2018 – more than four times the value of fines issued by the Luxembourg data authority, which ranked second.

The total fines reported since the application of the GDPR in 2018 now stand at €5.88 billion.

Financial services

The law firm says that big technology companies and social-media platforms continue to be the main targets, with nearly all of the top ten largest fines since 2018 imposed on this sector.

Its report notes, however, that 2024 enforcement “expanded notably” in other sectors – including financial services and energy.

DLA Piper describes Britain as “an outlier” in 2024, issuing very few fines.

It cites a quote from the country’s information commissioner John Edwards in the British press in November 2024, when he said that he did not agree that fines were likely to have the greatest impact, and that they would tie his office up in years of litigation.

‘Novel’ Dutch investigation

The firm’s report highlights a focus on governance and oversight last year that led to several enforcement decisions citing failings in these areas.

It notes an investigation by the Dutch data authority into whether it can hold the directors of Clearview AI personally liable for numerous breaches of the GDPR, following a €30.5 million fine against the company.

“This novel investigation into the possibility of holding Clearview AI's management personally liable for continued failings of the company signals a potentially significant shift in focus by regulators, who recognise the power of personal liability to focus minds and drive better compliance,” DLA Piper says.

‘Evolving arena’

The average number of breach notifications per day increased slightly to 363 from 335 last year, with DLA Piper describing this as a 'levelling off' and a likely signal of organisations becoming more wary of reporting breaches, given the risk of investigations, enforcement, fines, and compensation claims.

John Magee (partner and global co-chair of DLA Piper’s data, privacy and cyber-security group) said that the lack of record fines did not mean a cooling of interest and enforcement from regulators.

“From growing enforcement in sectors away from big tech and social media, to the use of the GDPR as an incumbent guardrail for AI enforcement as AI-specific regulation falls into place, and supervisory authorities looking to impose personal liability on company directors – GDPR enforcement remains a dynamic and evolving arena,” he stated.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland
Copyright © 2025 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.