Euro 2024: Top three data protection authorities revealed

To celebrate the Euro 2024 soccer tournament, we ranked the best of the data protection authorities from the nations competing in the tournament.

What matters

We are ranking the top data protection authorities from the nations competing in the Euro 2024 soccer tournament and setting out our reasons why they are ranked so highly.

What matters next

Businesses need to be aware of the different focus areas each data protection regulator has, particularly in jurisdictions where they operate. Understanding how active a regulator is and the level of fines issued is crucial in determining the level of risk associated with non-compliance.

Below, we have set out our top ranked data protection authorities and the reasons why they are our top picks.

Rank 1: Spain

No. of fines 2023: 367 / Value of fines: €29,815,410 ($31,971,810)

Taking top spot is the Spanish data protection authority, Agencia Española de Protección de Datos (AEPD), whose impressive record makes it the standout regulator going into this tournament. We have seen the AEPD take a leading global role in the protection of children online with the publication of its Global Strategy on Children, Digital Health and Privacy.

We have also seen in the AEPD’s 2023 annual report how seriously it takes compliance, with fines up 44% in value compared to the previous year, which can partially be attributed to the record-breaking 21,590 data protection complaints it received in 2023 (a 43% increase from the year before). Although the total number of fines imposed decreased by 3% compared to the previous year, the average fine stood at €81,000 ($87,000), an increase of almost 50%. 

Sector spotlight

The AEPD issued three final fines exceeding a million euros in 2023, all of them to large Spanish banks. As these three fines related to either a personal data breach or a failure to have adequately protected customer personal data, it is crucial that financial institutions offering services in Spain have sufficient technical and organizational measures in place to protect customer personal data, otherwise the regulator may reach for a red card.

2024 prediction

The AEPD has been paying increased attention to the inappropriate use of biometric access control. In November 2023, it published guidelines setting out the requirements and measures required to clock or control an individual’s access through the use of a biometric system. Companies that use or plan to use biometric control should ensure that they follow these guidelines closely and not stray offside, particularly as the AEPD recently fined a soccer club €200,000 ($215,000) for the misuse of biometric data in relation to its stadium access systems.

Rank 2: Italy

No. of fines 2023: 146 / Value of fines: €25,200,000 ($27,022,590)

Coming in second spot is the Italian data protection authority, Garante per la protezione dei dati personali (Garante), whose actions have made it a regulator not to be underestimated. In particular, the Garante caught our attention in 2023 with a number of large fines against companies using inaccurate or outdated personal data.

This includes the €10m ($10.7m) fine for an energy supplier for signing people up to contracts without first checking that the data gathered matched their current information. The Garante has also been on the offensive when it comes to non-complaint telemarketing activities, with the pick of the bunch being the €7.6m ($8.2m) fine for a large Italian telecommunications company. 

Sector spotlight

The Garante has been tackling inadequate data retention and disposal in the retail sector. In 2023, a global fashion brand was fined €240,000 ($260,000) for keeping customer data beyond the timelines set out in the record of processing and customer privacy notice. Retail companies will need to ensure they keep a clean sheet when it comes to data retention and disposal. 

2024 prediction

It is likely the Garante will continue its focus on telemarketing activities, particularly as it published a new Code of Conduct in March 2024 with the aim of protecting individuals from unwanted telephone marketing and sales. To adhere to the Code, companies will have to collect specific consent, accurately inform data subjects of the processing and ensure that they comply with data subject rights requests.

Rank 3: France

No. of fines 2023: 36 / Value of fines: €89,179,500 ($95,629,407)

Taking a very respectable third place in the rankings, is the highly effective French data protection authority, the Commission Nationale de l’Informatique (CNIL), which continues to grab headlines. The CNIL confirmed in its 2023 annual report that complaints from the general public surged in 2023, with the regulator receiving 16,433 complaints, marking a 35% increase from 2022. The CNIL conducted 340 investigations in 2023 and issued twice as many sanctions as in 2022 (which included 36 fines that amounted to an eye catching €89,179,500 ($95,629,407)).

Sector spotlight

The CNIL has imposed some hefty fines on the big players in the technology sector, such as the €40m ($43m) fine for an online advertising company for a multitude of breaches (including insufficient fulfilment of data subject rights requests) and the €5.2m ($5.6m) fine for a facial recognition company for unlawful processing and failing to co-operate with the CNIL. These fines send a warning to tech companies operating in France that the CNIL expects companies to take their data protection obligations seriously and to be a team player during any investigation. 

2024 prediction

The CNIL publicly stated in February this year that it is taking a keen interest in supermarket loyalty schemes given that they often collect significant amounts of consumer personal data. The CNIL has concerns that companies are failing to ensure consent is obtained before any data is re-used for advertising targeting purposes.

What about England?

Those reading this article will likely be unsurprised that the UK data protection authority, the Information Commissioner’s Office (ICO), did not make our shortlist. Although it has a commendable record of producing useful guidance, its continued reluctance to impose fines means that, unlike the men’s England football team, the ICO has little chance of bringing the title home.

William Moore is a data privacy lawyer advising clients on all aspects of data protection compliance under UK and EU law at Shoosmiths.