More than half of European fines for data breaches came from Ireland

Tue, 21 Jan, 2025 - 16:19

Cianan Brennan

Ireland’s Data Protection Commission was responsible for more than half of the €1.2bn levied by European states for data protection breaches in 2024.

The Irish regulator, which until recently was frequently the target of ire in some European locations for its perceived lack of action against big tech companies, has in recent years begun routinely handing out eye-watering fines to those adjudged to have breached data protection law as a result of multi-year investigations finally coming to a close.

The DPC has issued €3.5bn in fines since the advent of the General Data Protection Regulation (GDPR) in 2018.

Last year the commission issued fines of €310m and €251m against jobs network Linkedin and Facebook owner Meta respectively.

The level of fines issued by the DPC is currently more than four times that of the next placed European regulator, Luxembourg, which has issued €746m in fines over the same period.

Some €5.9bn in fines have been issued to the current date across the EU bloc, the latest edition of the GDPR Fines and Data Breach Survey – issued by law firm DLA Piper – said.

The €1.2bn in levies issued across Europe last year is actually a significant decrease on the level of penalties seen in previous years, with that figure fully 33% less than the corresponding figure from 2023, breaking a seven-year run of heightened enforcement seen within the EU nations.

Generally attributable

However, that fall is generally attributable to the absence of a similar level fine in 2024 to the €1.2bn penalty the Irish DPC delivered to Meta in 2023 regarding the social networking giant’s transatlantic transfer of its users’ personal data to the US – still the largest data protection fine in history.

Probably the most noteworthy fine handed out from outside Ireland in 2024 was delivered by the Dutch data protection authority, which levied €290m from ride-sharing app Uber, again on foot of the tech company’s transfer of European citizens’ personal data to the US, where data protection is afforded far lower importance by the federal government.

While fines of scale in European countries branched into sectors other than big tech last year, such as the €6.2m levied from a Spanish bank for inadequate security measures and a €5m penalty delivered to an Italian utility company, a notable outlier in terms of fines was the UK which issued very few over the 12 months – with its information commissioner John Edwards making clear last November that he doesn’t believe that such large fines have a discernible effect on those being regulated.

Last month it emerged that only a fraction of fines levied by the DPC have actually been paid to date by big tech companies – with just €20m collected thus far out of the €3.26bn in penalties handed down, with that total received representing just 0.6% of the fines decided on by the DPC.

The re-election of Donald Trump to the US presidency may present a unique headache in future for tech regulators across the eurozone, given Mr Trump’s general hostility to the EU as a trade partner in general, and his courting of multiple big tech CEOs ahead of his inauguration, the majority of whom maintain large presences across Europe, and in Ireland in particular.

One of the main recipients of admonishments from the DPC, Meta, this week petitioned the High Court here to overturn what it described as a “wholly disproportionate” €91m fine from the regulator for improperly storing user passwords.