In 2024, the enforcement of the General Data Protection Regulation (GDPR) across Europe remained robust, with data protection authorities imposing substantial fines on organizations for various violations. The total fines amounted to €1.2 billion, marking a 33% decrease from the €1.78 billion reported in 2023.  

Despite this decline, the year witnessed notable enforcement actions, particularly by the Irish Data Protection Commission (DPC), which was responsible for over half of the total fines issued.  

Ireland’s Dominance in GDPR Enforcement 

Ireland’s DPC has solidified its position as a leading enforcer of GDPR compliance. Since the regulation’s implementation in May 2018, the DPC has imposed fines totaling €3.5 billion, surpassing other European regulators by a significant margin. This leadership is partly due to the presence of numerous tech giants’ European headquarters in Ireland, making the DPC the lead supervisory authority for these companies.

Major Fines Imposed in 2024 

Several high-profile fines were levied in 2024, underscoring the continued vigilance of data protection authorities:

• LinkedIn: In October, the Irish DPC fined LinkedIn €310 million for processing personal data without an appropriate legal basis in its advertising practices. 
• Uber: The Dutch Data Protection Authority imposed a €290 million fine on Uber in August for transferring driver data to the U.S. without adequate safeguards, violating GDPR provisions. 
• Meta Platforms (Facebook): In December, Meta was fined €251 million by the Irish DPC for a 2018 data breach that affected approximately 29 million Facebook accounts.  

Trends and Observations 

While the total fines in 2024 decreased compared to the previous year, this reduction is primarily attributed to the absence of exceptionally large fines like the €1.2 billion penalty imposed on Meta in 2023. The consistent enforcement actions indicate that data protection authorities remain committed to upholding GDPR standards.  

Additionally, there is a growing focus on personal liability, with regulators examining the roles of individual company directors in data protection violations. This shift suggests that future enforcement may increasingly target not only organizations but also their leadership.  

The year 2024 demonstrated that GDPR enforcement continues to be a priority for European data protection authorities. With Ireland’s DPC leading in the imposition of fines, organizations operating within the EU must remain vigilant and proactive in their compliance efforts. The emphasis on personal liability further underscores the importance of robust data protection practices at all organizational levels. 

The change in the US State privacy landscape accelerated in 2024, often hindered by or sometimes helped by Federal efforts. Limited (but real) state-level enforcement combined with effective laws in 4 new states combined with enactment in 7 additional states add up to major action. I expect this trend to continue in 2025, with 5 new privacy laws taking effect, 3 more to take effect later this year and we already have privacy drafts in additional states HI, OK, IL, PA, SC, MA and most importantly in NY (which includes some very strict data fiduciary concepts). Adding to the complexity are new application of existing laws via lawsuits to privacy environments, such as ‘trap and trace,’ wiretap and pre-loading of 3rd party cookies. This will certainly add to the growing complexity of compliance for businesses navigating an increasingly fragmented landscape of state regulations, which is only going to be exacerbated in 2025.