In 2024, EU data protection authorities imposed a total of EUR 1.2 billion in fines. This brings the total value of fines to EUR 5.88 billion since the GDPR became applicable, DLA Piper's latest report reveals.* The technology sector has been hit the hardest, with data protection focusing on managerial responsibility and privacy issues in AI tools.
The total value of fines imposed in 2024 fell by 33% compared to the EUR 1.78 billion imposed in 2023. But this doesn’t mean the focus has shifted away from enforcement relating to privacy. The decrease is mainly due to the Irish DPC's record EUR 1.2 billion fine imposed on Meta in 2023, the highest ever.
In 2024, the technology sector and social media were the most affected by data protection sanctions, with nine out of the ten highest fines being imposed on organisations in this sector. For example, the Irish authority fined LinkedIn EUR 310 million for breaching the principles of the GDPR on a number of grounds in relation to analysing user data and processing it for targeted advertising. Another significant sanction was also imposed in Ireland, where Meta was fined EUR 251 million for a data breach affecting 3 million users in the European Economic Area (EEA).
In addition to the technology sector, major fines were also imposed in the financial and energy sectors. The Spanish data protection authority imposed two fines totalling EUR 6.2 million on a major bank for inadequate security measures. And the Italian data protection authority fined a utility company EUR 5 million for using outdated or inaccurate customer data.
Hungary in the regional midfield
In terms of the total value of GDPR fines imposed since 25 May 2018, Hungary retained 17th place in the European ranking last year with around EUR 4.2 million (HUF 1.7 billion) in fines. Ireland (EUR 3.5 billion), Luxembourg (EUR 746 million) and France (EUR 597 million) made up the top three. Some of the high-profile cases in Hungary included the sanction imposed by the National Authority for Data Protection and Freedom of Information (NAIH) on a headhunting company for unlawfully processing and sharing the data of thousands of job applicants. Last year, the NAIH also issued a warning on the lawful handling of voice recordings.
Focus on AI and managerial responsibility
Privacy aspects of AI technologies are also in the focus of regulators' attention. In Ireland, the data processing practices of X's chatbot have been under scrutiny. And the Dutch data protection authority has imposed a record EUR 290 million fine on a ride-hailing app for transferring personal data to a third country. It also issued a EUR 30.5 million fine on AI company Clearview for GDPR breaches relating to data collection and facial recognition systems. The Dutch data protection authority is also investigating whether the company's directors are personally liable for multiple breaches of the GDPR.
EU rules are increasingly focusing on the personal liability of company directors, with stricter compliance requirements. Whether authorities have the power to impose personal liability in the event of a breach of the GDPR varies from Member State to Member State.
What data protection challenges can we expect this year?
Much attention is expected to be paid this year to the “consent or pay” model, which was the subject of lively debate in 2024. Users can choose between two options: consent to the use of their personal data for behavioural advertising or pay for the service. Last April, the European Data Protection Board (EDPB) finally adopted an opinion stating that major online platforms have to allow users to choose an additional “equivalent alternative” that’s free and without behavioural advertising. While EDPB didn’t state that these models cannot be lawful in any case, it concluded that in most cases they don’t comply with the GDPR requirements for valid consent and are therefore unlawful.
The EDPB's long-awaited opinion on data protection aspects of AI models, published in December, doesn’t provide clear guidance, so the boundaries of lawful use of personal data for AI tools remain uncertain.
With the rapid expansion of artificial intelligence and strict EU data protection legislation, we can expect a number of regulatory investigations, sanctions and court cases in the coming years.
*The GDPR fines and data breach survey report includes a country-by-country table of fines imposed between January 2024 and January 2025. The survey covers the 27 EU Member States, plus the UK, Norway, Iceland and Liechtenstein
By Zoltan Kozma, Partner, Head of the Intellectual Property and Technology, and Mark Almasy, Associate, DLA Piper Hungary
