Ireland’s Data Protection Commission has enforced the lion’s share of a record €1.78 billion in European GDPR fines over the last year.
According to law firm DLA Piper’s annual GDPR and Data Breach Survey, authorities across Europe have handed out a total of €1.78 billion in fines since 28 January 2023, up 14% on the previous year.
And with most big tech and social media firms having their European headquarters in the country, Ireland is the main data privacy enforcer. Since the start of GDPR in May 2018, it’s imposed a total of €2.86 billion in fines; and it’s also been responsible for the largest ever fine, €1.2 billion awarded against Meta earlier this year for GDPR breaches by Facebook and Instagram.
“Our sense is that Ireland’s continued popularity is less to do with specific regulatory reasons and more to do with its general favorable business environment,” says Ross McKean, chair of data, privacy and cybersecurity in the UK.
“Factors such as low corporate tax, English language, common law, availability of talent and age and flexibility of workforce probably rank higher as factors for those location decisions.”
The amount imposed in fines across Europe rose less than last year, largely because of a number of successful appeals in various jurisdictions, which have seen fines reduced or in some cases completely overturned. There have also been fewer fines issued as a result of opinions and binding decisions from the European Data Protection Board.
“While some key regulatory decisions have been reached, many remain under appeal through both the Irish and EU courts–leading to an unresolved legal landscape post-GDPR,” says John Magee, partner and chair of data, privacy and cybersecurity at DLA Piper in Dublin.
“For businesses navigating this evolving data protection framework, balancing strategic adaptability with operational efficiency remains a challenging tightrope to walk.”
All of the ten biggest fines since May 2018 have been imposed against big tech and social media firms. And this is likely to continue to be the case, says DLA Piper, especially given current attempts by the industry to move to a ‘pay or ok’ model.
Most recently, for example, Meta has come under fire over its paid-for ad-free subscription service, with a group of European consumer groups saying it breaches EU consumer laws.
Failure to comply with core GDPR principles is still the most common cause for fines, with failure to comply with the lawfulness, fairness and transparency principle remaining the top reason. Many other fines resulted from breaches of the integrity and confidentiality principle and security of processing.
The total number of breach notifications across the EU remained much the same as the year before – 335 as opposed to 328. Germany, the Netherlands and Poland reported the largest number of data breaches, with 32,030, 20,235 and 14,167 respectively.
Legal uncertainty is set to continue under GDPR, says McKean.
“For social media and big tech in particular, record breaking fines and orders to suspend illegal processing are an ever present danger; they are in effect a ‘data tax’ when doing business in Europe,” he says.
“There are also many new and proposed laws and regulations applying to data and the digital world. Governance and effective risk management are essential for organizations to be able to tackle this complexity and compliance risk, and to ensure business continuity.”
