Data police: Ireland is the top country issuing GDPR fines

18 Jan 2024

Image: © Quatrox Production/Stock.adobe.com

A report from DLA Piper said the DPC played a central role in GDPR interpretations last year and noted that a ‘pay or okay’ subscription model is currently under debate in the EU.

Ireland’s Data Protection Commission (DPC) issued the lion’s share of GDPR fines in 2023, with the country remaining on top for data enforcement.

That’s according to a new report from law firm DLA Piper, which shows that Ireland recorded the highest aggregate GDPR fines issued since 25 May 2018. The total value of GDPR fines imposed in Ireland to date is more than €2.8bn.

The report looked at fines issued by countries since 28 January 2023. The survey covers all 27 EU member states, plus the UK, Norway, Iceland and Liechtenstein. Data supervisory authorities issued fined worth €1.78bn last year, according to the report.

Ireland also took the top spot for the largest ever fine imposed, with its €1.2bn fine issued against Meta last year. This trumps the €746m fine issued to Amazon by Luxembourg in 2021, which was the previous record holder.

The report said multiple enforcement actions by regulators across the EU took place last year for alleged illegal transfers of personal data. It also noted that social media and Big Tech remain the primary target for record fines.

John Magee, partner and chair of data, privacy and cybersecurity for DLA Piper Ireland, said the DPC played a “central role in shaping GDPR interpretations” for 2023. But the agency has been criticised by various EU entities – including the European Data Protection Board (EDPB) for how it handles GDPR investigations.

“As commissioner Helen Dixon steps down after a decade, her legacy of firm but fair leadership sets the stage for a new panel of commissioners at the DPC who will continue to face complex challenges under the watchful eye of the EDPB,” Magee said.

“While some key regulatory decisions have been reached, many remain under appeal through both the Irish and EU courts – leading to an unresolved legal landscape post-GDPR.

“For businesses navigating this evolving data protection framework, balancing strategic adaptability with operational efficiency remains a challenging tightrope to walk.”

Challenges ahead

Currently, it appears Big Tech players are shifting to a subscription model as a way to deal with GDPR issues. For example, Meta plans to offer users paid versions of its apps as a way for them to avoid targeted advertising.

This method has faced opposition however, with opponents issuing GDPR complaints over what has been called a “pay for your rights” subscription plan. The DLA Piper report said this “pay or okay” subscription model faces a bumpy road ahead when it comes to regulators and privacy activists.

Meanwhile, the report claims there was no overall change in the number of data breach notifications made – an average of 335 breach notifications per day between 28 January 2023 to 27 January 2024, compared to 328 the previous year.

Ireland was the only outlier in this respect with a noticeable increase in breach notifications during 2023. But the report also warned that some businesses may be simply not disclosing breaches.

It is a mandatory legal requirement under GDPR to notify personal data breaches to supervisory authorities, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

“This threshold remains open to interpretation and with the consequences of notifying a breach now more apparent with multiple fines issued for data breaches coupled with follow-on litigation and compensation claims, organisations which may initially have erred on notification may now be shying away from doing so,” the report said.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com