According to the report, the EDPB’s case register in 2024 included 350 cross-border cases, which, along with the procedures initiated under the so called “one-stop-shop” mechanism, underscored “the high degree of coordination among DPAs in tackling complex, cross-jurisdictional data protection issues.”

The fines levied in the EU as a result of local authorities’ enforcement efforts totalled more than €1.2bn ($1.4bn).

In addition to a table breaking down the fines by jurisdiction, the report includes a “non-exhaustive” list of national enforcement actions.

Three very large fines, two by the Irish DPA against Meta and LinkedIn at €91m ($103m) and €310m ($352m) respectively and one by the Dutch DPA against Uber at €290m ($329m) account for approximately 55% of the fines levied in the Bloc.

The German DPA led in terms of activism with 416 enforcement decisions handed down, but was in seventh place when it came to the total number of fines levied, which came in at a modest total of over €13m ($15m).

The Italian DPA was active in 2024 with 140 enforcement decisions and with over €145m ($165m) in fines levied. It is unclear why the sizeable fine levied by the Garante against Enel Energia SpA at approximately €79m ($90m) did not make the case list included in the document in this instance.

The report highlights four of the “most relevant” consistency decisions issued by the EDPB in 2024. These include:

• clarifying the criteria used to determine a controller’s main establishment within the EU in order to ensure accurate and consistent determination of jurisdiction;
• emphasizing the essential requirements for the provision of valid consent by end users;
• critical compliance points including transparency obligations, proportionality assessments, as well as strict safeguards in connection with sensitive data processing;
• guidance on contractual agreements between processors and sub-processors in order to ensure accountability and compliance throughout the data processing chain; and
• mitigation of privacy risk in the processing of personal data in the context of AI models.

It also drew attention to the adoption, in April, of a new strategy for the EDPB spanning the period 2024-2027. The new strategy is organized around four regulatory pillars and focused on promoting compliance, supporting enforcement cooperation and also ensuring that the right to data protection is embedded in the overall regulatory digital framework.

The latter is consistent with the new roles the organization is likely to play in the context of the emerging regulatory architecture focused on all aspects of digital products and services within the EU.

According to EDPB Chair Anu Talus, the actions of the organization in 2024 reaffirmed its “commitment to safeguarding individuals’ fundamental rights to privacy and data protection in a fast-changing digital landscape.”

Although the fines total is sizeable the total number of cases has dropped significantly (by 300 cases) since 2023. This may possibly suggest that the GDPR regulatory regime is beginning to bed down with non-compliance less frequent and less egregious than it has been over the last few years.