Ireland has once again topped a league table of European countries for issuing data fines.
The 2024 edition of global law firm DLA Piper’s annual GDPR and Data Breach Survey shows that supervisory authorities across Europe have issued a total of €1.78 billion in fines since 28 January 2023, which is an increase of 14.1% from 2022.
In May 2023, the Irish Data Protection Commission (DPC) imposed a record €1.2 billion fine on Facebook parent company Meta for breaches relating to the transfer of personal data from the EU to the US.
Meta said it would appeal the ruling and what it described as the “unjustified and unnecessary fine”.
It was the largest ever EU privacy penalty, exceeding the previous record fine of €746 million which was imposed on Amazon in 2021.
According to today’s report, Ireland has recorded the highest aggregate GDPR fines issued since 25 May 2018, with the total value of GDPR fines imposed in Ireland now hitting €2.86 billion.
Across the countries surveyed, there was an average of 335 data breach notifications per day from 28 January 2023 to 27 January 2024 compared to 328 during the same period last year.
Ireland saw a noticeable increase in breach notifications during 2023 bringing the national average in line with 2021 levels after a dip in 2022.
Social media and big tech remain the primary target for record fines across the countries surveyed with each of the top ten largest fines issued since 25 May 2018 being imposed on businesses in this sector.
While there was a 14% increase in data fines last year, it was a much smaller rise than the 50% rise reported the previous year.
DLA Piper said this has mainly been driven by a number of successful appeals in various jurisdictions, which have seen fines reduced or in some cases completely overturned, as well as fewer fines issued by European data protection authorities following opinions and binding decisions of the European Data Protection Board (EDPB) under the GDPR consistency mechanism.
The survey covers all 27 member states of the European Union, plus the UK, Norway, Iceland and Liechtenstein.
“As Irish Data Protection Commissioner Helen Dixon steps down after a decade, her legacy of firm but fair leadership sets the stage for a new panel of commissioners at the DPC who will continue to face complex challenges under the watchful eye of the EDPB,” said John Magee, Partner and Chair of Data, Privacy & Cybersecurity at DLA Piper in Dublin.
“While some key regulatory decisions have been reached, many remain under appeal through both the Irish and EU courts – leading to an unresolved legal landscape post-GDPR.”
“For businesses navigating this evolving data protection framework, balancing strategic adaptability with operational efficiency remains a challenging tightrope to walk,” Mr Magee said.