Despite more than five years of existence of the GDPR, non-compliance with its provisions still leads to numerous fines. These mainly target American actors, but also a number of French companies who seem convinced they can escape scrutiny.
2023 marks another record year for fines related to GDPR violations, according to the latest study by DLA Piper published in January 2024. European supervisory authorities issued a total of 1.78 billion euros (1.94 billion dollars) in fines between late January 2023 and late January 2024, representing an increase of over 14% compared to the total issued in the previous year (between late January 2022 and late January 2023).
Ireland, breaking all records
Ireland remains in the lead this year with the highest number of fines issued since May 25, 2018, the date the GDPR came into effect. It also takes the top spot for the heaviest fine ever imposed, with a fine of 1.2 billion euros (1.31 billion dollars) issued against Meta last year, relegating Luxembourg to second place on the podium.
The total value of GDPR fines issued in Ireland now stands at 2.86 billion euros (3.12 billion dollars). Given that Ireland is a highly sought-after country for technology companies to establish their main establishment within the European Union, it’s not surprising that it has risen to the top of the country ranking, with social media platforms and major technology companies being the primary targets of the record fines imposed in the country.
“Ireland’s Data Protection Commission (DPC) continued to play a central role in shaping GDPR interpretations this year, notably with key decisions and fines on issues ranging from data transparency and transfer to information security and children’s privacy,” says John Magee, Partner and Head of the “Data, Privacy, and Cybersecurity” department at DLA Piper.
John Magee adds, “While some key regulatory decisions have been made, many are still under appeal before Irish and European courts, leading to an unresolved legal landscape after the implementation of the GDPR. For businesses navigating this evolving data protection framework, balancing strategic adaptability and operational efficiency remains a challenging tightrope.”
Social media and big tech, primary targets for fines
Social media platforms and big tech companies remain the primary target of record fines across all studied countries, with each of the top ten fines issued since May 25, 2018, being imposed on such companies.
Non-compliance with GDPR’s fundamental principles continues to be the most frequently cited reason for fines across all jurisdictions studied. Violations of the principles of lawfulness, fairness, and transparency remain a priority in law enforcement. Fines resulting from breaches of the principle of integrity and confidentiality – and the related Article 32 (processing security) – also continue to feature in all studied jurisdictions.
Continuing the trend of the past two years, there were an average of 335 data breach notifications per day between January 28, 2023, and January 27, 2024, compared to 328 during the same period the previous year. Taking the margin of error into account, there is effectively no change in the number of breach notifications from one year to the next. Germany, the Netherlands, and Poland reported the highest number of data breaches notified between January 28, 2023, and January 27, 2024, with 32,030, 20,235, and 14,167 respectively. Denmark leads the table for the number of breach notifications made per 100,000 inhabitants.
In France, 40 million euros fine for Criteo
In France, in June 2023, the CNIL fined the company Criteo, imposing a fine of 40 million euros. The CNIL reproaches the online advertising specialist for not having verified that the individuals whose data it processes had given their consent.
The severity of the sanction is due in particular to the fact that the processing in question concerns a very large number of people (the company holds data on approximately 370 million identifiers across the European Union) and that it collects a very large amount of data on the consumption habits of Internet users. If the company does not have the name of the Internet user, the CNIL has considered that the data was sufficiently precise to allow, in some cases, the reidentification of individuals.
The CNIL has identified five GDPR violations against the company Criteo:
- Failure to demonstrate that the person has given consent (Article 7.1 of the GDPR)
- Failure to comply with the obligation of information and transparency (Articles 12 and 13 of the GDPR)
- Failure to respect the right of access (Article 15.1 of the GDPR)
- Failure to respect the right to withdraw consent and to erase data (Articles 7.3 and 17.1 of the GDPR)
- Failure to provide for an agreement between joint controllers of processing (Article 26 of the GDPR)
The CNIL also fined Amazon France Logistique, in late December 2023, a fine of 32 million euros for implementing a system of excessively intrusive monitoring of employees’ activity and performance. The company is also sanctioned for video surveillance without sufficient information and security.
Finally, in October 2023, the CNIL fined the Canal+ Group 600,000 euros, notably for not complying with its obligations regarding commercial prospecting and the rights of individuals. Based on findings made during inspections, the restricted formation – the CNIL body responsible for imposing sanctions – considered that the company had failed to meet several obligations provided for by the General Data Protection Regulation (GDPR) and the Postal and Electronic Communications Code (CPCE).
To go further, find out how our deepeo software solution can help you with its features
Deletes all data for any data subject you no longer have a business or legal reason to hold.
Perform the same operations as the data deletion, but anonymise a data subject’s data as opposed to deleting it.