The Irish Data Protection Commission (DPC) issued administrative fines of €652m ($771m) during 2024, its new annual report shows. That’s a big drop from the total of over €1.5 billion ($1.6 billion) in fines in 2023.
The Commission also processed slightly fewer new cases – 11,091 compared to 11,200 the year before. The number of concluded cases was also slightly lower than before, with 10,510 in 2024, down from 11,147 in 2023. Even though the DPC showcases slightly less completed cases than before, it still says it “was active on several other fronts during what proved to be a very busy year.”
The DPC also began new inquiries this year into issues concerning AI models, biometrics, and the security of sensitive health data.
“There are potentially immense benefits to society arising from AI technologies but it is critical that new technological developments are introduced in a way that protects individuals, especially children and the vulnerable, from harm,” the DPC concluded.
Largest fine on LinkedIn
The largest fine of the year, €310m ($360.3m), was issued in October on LinkedIn Ireland Unlimited Company for violations of EU GDPR when processing the personal data of its registered users for marketing and analytic purposes.
Second and third largest fines were issued on Meta, €240m ($278.9) and €91m ($105.8m), over concerns about user tokens, and for password storage failures when storing users’ passwords without encryption or cryptographic protection.
In 2024 the DPC concluded the following inquiries under the GDPR and the Data Protection Act (DPA) 2018:
| Organizations | Decision Issued | Fine Imposed | Corrective Measure Imposed |
|---|---|---|---|
| Airbnb Ireland UC | January | N/A | Reprimand re GDPR Articles 5(1)(c) and 6. |
| Apple Distribution International Limited | February | N/A | No infringements found. |
| Groupon Ireland Operations Limited | March | N/A | Reprimand re GDPR Articles 5(1)(c), 6(1), 12(2), 15(1), 15(3) and 17(1). |
| Apple Distribution International Limited | March | N/A | Order to bring processing into compliance and Reprimand re GDPR Articles 13(1)(c) and 13(1)(d). |
| Mediahuis Ireland Group Ltd (formerly Irish News and Media plc) | June | N/A | No infringements found. |
| Meta Platforms Ireland Limited | September | €91m ($105.8m) | Reprimand re GDPR Articles 5(1)(f), 32(1), 33(1), and 33(5). |
| LinkedIn Ireland Unlimited Company | October | €310m ($360.3m) | Order to bring processing into compliance and Reprimand re GDPR Articles 5(1)(a), 6(1), 13(1)(c) and 14(1)(c). |
| Sligo County Council | November | €29,500 ($34,284) | Temporary ban on CCTV at a number of locations. Order to bring processing into compliance and Reprimand re GDPR Articles 5(1)(a), 5(1)(c),5(1)(e), 5(1)(f) 13, 24, 25, 30, and 32(1). DPA sections 71(1)(a), 71(1)(c), 71(1)(e), 71(1)(f), 71(10), 72, 72(1), 72(2), 75, 75(1), 75(3), 76(2), 78, 79, 81, 82(2), 84 and 90(1). |
| Maynooth University | November | €40,000 ($46,484) | Reprimand re GDPR Articles 5(1)(f), 32(1) and33(1). Order to bring processing into compliance with Article 32(1). |
| Meta Platforms Ireland Limited (Token Breaches – Art. 33) | December | €11m ($12.8m) | Reprimand re GDPR Article 33. |
| Meta Platforms Ireland Limited (Token Breaches – Art. 25) | December | €240m ($278.9) | Reprimand re GDPR Article 25. |
Breach notifications up
DPR breach notifications kept increasing, with a total of notifications 7,781 – an 11% increase from 6,991 in 2023. Most of the breaches occurred within the private sector(3,958), with 3,137 in the public sector, and 251 within the voluntary and charity sector.
The top three issues (65%) of the complaints were in connection to:
- subject Access Requests– 34%;
- fair Processing – 17%;
- right to Erasure – 14%.
Of 2024’s breaches, 81% were concluded by the end of the year, and half of them were a result of correspondence being sent to the wrong recipient.
“The protection of our personal data is more important than ever as our daily transactions now routinely occur through technologies,” said Dr Des Hogan, Chairperson of the Irish Data Protection Commission.
| 2022 | 2023 | 2024 | |
|---|---|---|---|
| Fines | €1.6 billion ($1.7 billion) | €1.5 billion ($1.6 billion) | €652m ($771m) |
| Processed new cases | 9,370 | 11,200 | 11,091 |
| Concluded cases | 10,008 | 11,147 | 10,510 |
| Some of the types of breaches: | |||
| GDPR breach notifications | 5,828 | 6,991 | 7,781 |
| Received cross-border complaints | 125 | 156 | N/A |
| Concluded cross-border complaints | 246 | 279 | 145 |
| Cross-border inquiries | * | 51 | 53 |
| Statutory inquiries | 88 | 89 | 89 |
| Electronic direct marketing complaints | 204 | 230 | 198 |
| Concluded electronic direct marketing investigations | 207 | 237 | 146 |
| Law Enforcement Directive (LED) complaints | 38 | 32 | 33 |
| Concluded LED complaints | 58 | 37 | 19 |
Criticism of EU GDPR
The EU GDPR has been facing criticism over being too complex with high compliance costs, and many have concerns about affecting innovation and economic growth for smaller companies, especially around AI. Earlier this year, the Swedish Privacy Protection Authority IMY also said the regulation needs changing because of the widespread perception in Sweden that it’s difficult to apply the regulation, and that it “creates a large administrative burden even when the privacy risks are low.”
Yet the Irish DPC says in its new report that it stands behind the regulation.
“The GDPR is working well and is standing the test of time, but we must not lose sight of its essence which is to ensure that the individual right to data protection is respected and individuals do not suffer risks and harms as a result of their personal data being improperly used.”
The regulator says it seeks to ensure that the regulation continues to be central when developing new technologies, and it is “committed to fair, proportionate, clear and consistent regulation to deliver real benefits and safeguards for individuals, whilst enabling responsible and people-centred innovation.”
