Ireland’s data-protection watchdog has handed out the biggest fines linked to breaches of GDPR rules since the regulations came into effect, according to figures published today (18 January).
Law firm DLA Piper said that Ireland had issued fines totalling €2.86 billion since 25 May 2018.
The Data Protection Commission (DPC) was also responsible for the largest fine imposed so far – a €1.2 billion penalty issued against Meta last year.
Successful appeals
DLA Piper’s annual GDPR and Data Breach Survey shows that supervisory authorities across Europe have issued a total of €1.78 billion in fines since 28 January 2023 – an increase of just over 14% from 2022.
This is a smaller increase than the 50% jump recorded a year earlier, which the report attributes to a number of successful appeals in various jurisdictions – which have seen fines reduced or, in some cases, completely overturned – as well as fewer fines issued by European data-protection authorities after opinions and binding decisions of the European Data Protection Board (EDPB).
Social media and big technology firms remain the primary target for record fines across the countries surveyed, with each of the top ten largest fines issued since 25 May 2018 being imposed on businesses in this sector.
Notifications flat
The report shows little change in the number of breaches of the GDPR notified in the past year. There was an average of 335 breach notifications per day, compared with 328 during the same period last year.
DLA Piper adds, however, that Ireland is an outlier in this respect, with a noticeable increase in breach notifications during 2023, bringing the national average in line with 2021 levels, after a dip in 2022.
Denmark is at the top of the table for the number of breach notifications made per 100,000 people, with Ireland moving up to third place.
‘Central role’ for DPC
The DLA Piper report comments that a “grand bargain” that enabled service providers to fund the development of consumer services in exchange for monetising their data since the earliest days of the internet is now under “sustained attack” from European supervisory authorities and Europe’s highest court.
It adds that plans by some technology firms to move to a ‘pay-or-okay’ model are set for “a bumpy ride” with regulators and privacy activists.
John Magee (partner and chair of data, privacy and cyber-security at DLA Piper in Dublin) said that the DPC continued to play “a central role” in shaping GDPR interpretations this year, with key decisions and fines on issues ranging from transparency and data transfer, to information security and children’s privacy.
“As commissioner Helen Dixon steps down after a decade, her legacy of firm but fair leadership sets the stage for a new panel of commissioners at the DPC who will continue to face complex challenges under the watchful eye of the EDPB,” he continued.
“While some key regulatory decisions have been reached, many remain under appeal through both the Irish and EU courts – leading to an unresolved legal landscape post-GDPR,” Magee added.