In 2024, GDPR fines issued across Europe amounted to €1.2 billion, marking a 33% decrease compared to the €2.9 billion levied in 2023. This is the first recorded decline in fines since the GDPR’s inception in 2018. The drop was largely influenced by the absence of a record-breaking €1.2 billion fine against Meta in 2023 for transferring personal data to the US under standard contractual clauses. Despite the decrease, regulators emphasized that the enforcement of personal data protection remains a critical focus in the European Union.
Big tech and social media companies continued to face significant penalties in 2024.
The Irish Data Protection Commission (DPC) imposed a €310 million fine on LinkedIn for improper data processing in advertising, while Uber was fined €290 million by the Dutch Data Protection Authority for storing driver data in the US without adequate safeguards. Meta faced another penalty, a €251 million fine from the Irish DPC, related to a 2018 Facebook data breach that affected 29 million accounts. These cases illustrate the continued prioritization of data privacy enforcement against major corporations.
Since the GDPR’s implementation in May 2018, the total fines issued across Europe have reached €5.88 billion, with the Irish DPC leading as the most active regulator. The Irish DPC has issued €3.5 billion in fines, significantly surpassing the Luxembourg Data Protection Authority, the next most active regulator. In addition to targeting technology companies, 2024 saw an expansion of enforcement into other industries, such as financial services and energy. For example, the Spanish Data Protection Authority fined CaixaBank €6.2 million for inadequate security measures.
The average number of breach notifications in 2024 rose slightly to 363 from 335 in 2023, indicating that incidents remain frequent despite stricter regulations. Experts have cautioned against interpreting the reduction in fines as a decrease in regulatory interest or enforcement efforts. Regulators remain committed to holding organizations accountable for data protection compliance, ensuring that companies across all sectors adhere to GDPR requirements. The ongoing enforcement underscores the EU’s dedication to safeguarding citizens’ personal information.