The number of GDPR fines issued last year fell by a third compared with 2023 , according to new research, but this doesn't mean data protection authorities are getting any softer.
DLA Piper's GDPR Fines and Data Breach Survey found that €1.2 billion in penalties was issued during the year, down 33%. This marks the first time the amount has fallen since the GDPR was introduced in May 2018.
Thanks to the many tech firms headquartered in the country, Ireland remains the biggest enforcer, with the Irish Data Protection Commission issuing €3.5 billion in fines since May 2018.
That's more than four-times the value of fines issued by the second-placed Luxembourg Data Protection Authority, which has issued €746.38 million over that time. Total fines reported since the start of GDPR in 2018 now stand at €5.88 billion.
But DLA Piper said last year's big drop doesn't represent a weakening of enforcement; the year-on-year trend remains upwards.
It's actually due to a skewing of the 2023 figures by the record-breaking €1.2 billion penalty issued by the Irish DPC against Meta in 2023, which remains the largest ever imposed.
"The headline figures in this year's survey have, for the first time ever, not broken any records so you may be forgiven for assuming a cooling of interest and enforcement by Europe's data regulators. This couldn't be further from the truth," said Ross McKean, partner and chair of DLA Piper's UK data protection and cyber practice.
"From growing enforcement in sectors away from big tech and social media, to the use of the GDPR as an incumbent guardrail for AI enforcement as AI specific regulation falls into place, to significant fines across the likes of Germany, Italy and the Netherlands, and the UK's shift away from fine-first enforcement – GDPR enforcement remains a dynamic and evolving arena."
It's still the big tech companies and social media giants that are getting the biggest fines, with nearly all of the top ten largest fines since 2018 imposed on firms operations in this sector.
Across 2024, the Irish Data Protection Commission issued fines of €310 million against LinkedIn and €251 million (£208m) against Meta. In August 2024, the Dutch Data Protection Authority issued a fine of €290 million against a well-known ride-hailing app.
The UK was an outlier in 2024, issuing very few fines. Information Commissioner John Edwards previously noted that he wasn’t in favor of issuing fines.
Edwards said these were unlikely to have significant impact and would tie the ICO up in years of litigation.
GDPR fines mirrored by personal liability risks
Perhaps most significantly, there's been an increased focus on failures in governance and oversight, with some specifically calling out failings of management bodies.
Most notably, the Dutch Data Protection Commission announced an investigation into whether it can hold the directors of Clearview AI personally liable for numerous GDPR breaches, following a €30.5 million fine against the company.
DLA Piper said this potentially signals a shift in focus by regulators, who recognize the power of personal liability to focus minds and drive better compliance.
"For me, I will mostly remember 2024 as the year that GDPR enforcement got personal," said McKean.
"As the Dutch DPA champions personal liability for the management of Clearview AI, 2025 may well be the year that regulators pivot more to naming and shaming and personal liability to drive data compliance."
