European data regulators issued almost €3 billion in fines related to data protection infringements last year, with the Irish regulator accounting for more than a third of the figure, a report from global law firm DLA Piper found.
A total of €2.92 billion was issued over the year by authorities across Europe, according to DLA Piper’s 2023 GDPR and Data Breach Survey. The biggest fine in the year was the €405 million penalty imposed on Instagram parent company Meta Platforms following an inquiry into its historic processing of the data of Instagram users between the ages of 13 and 17 between May 2018 and September 2020.
The Data Protection Commissioner (DPC) has imposed several large fines against Meta this year in relation to Facebook and Instagram’s behavioural profiling of users and whether the lawful basis of “contract necessity” can be used to legitimise the mass harvesting of personal data.
The survey looks at the total fines issued for a range of GDPR infringements and publishes a league table of fines issued by each country since January 28th, 2022. The report covers the 27 member states of the European Union, as well as the UK, Norway, Iceland and Liechtenstein.
The survey found the average number of notified data breaches per day fell slightly from 328 to 300, with around 109,000 personal data breaches notified to regulators since January 28th last.
The decrease could be due to more mature notification procedures on the part of organisations the report said, but it could also be attributed to organisations becoming more wary of reporting data breaches due to the risk of investigations, enforcement, fines and compensation claims.
Although advertising and social media were the main talking points in the past 12 months, there was also a growing focus on artificial intelligence (AI), and the role of personal data used to train the technology. Among the investigations undertaken during the year were several into facial recognition company Clearview AI.
DLA Piper’s head of data protection, privacy and information security, John Magee, said 2022 was significant for the Irish data protection authorities.
“It is clear from activity throughout the year that the GDPR’s consistency mechanism, which was put in place to ensure that EU data protection law is enforced uniformly across all member states, has resulted in a tougher approach being taken by the DPC,” he said. “While most of the larger headline-grabbing fines have been levied against social media companies, the DPC is increasingly looking at organisations from all sectors, so businesses across the board would be well advised to get their house in order to avoid sanctions.”
The largest fine issued under GDPR regulations to date was issued by Luxembourg, with a €746 million fine against a US online retailer and ecommerce platform in 2021. The fine, details of which are not publicly available, is subject to an ongoing appeal. The DPC’s Instagram fine is in second place, and its €265 million penalty against Meta in third place.