Ireland’s Data Protection Commission (DPC) has launched yet another investigation into a major technology platform, with X, its Grok artificial intelligence and the company’s obligations under data protection rules under scrutiny.
It brings to five the number of active large-scale investigations into X, with inquiries also ongoing into aspects of TikTok, Google and Meta.
In total, the DPC has imposed fines of more than €4 billion since the introduction of GDPR in 2018.
To date, however, less than €20 million of that has been collected, with the remainder tied up in lengthy appeals both in the Irish legal system and at European level.
READ MORE
Once the DPC has issued its decision and alerted the company to any enforcement action, including fines, the company has 28 days to lodge an appeal. In 13 of the 15 decisions handed down by the DPC, the companies have taken legal action, ensuring that the fines cannot be collected until the process has been exhausted. The outstanding fines:
Meta, which owns Facebook, Instagram and WhatsApp, tops the list in both number of decisions against the platforms and in their total value. Eleven of the 15 inquiries that resulted in enforcement action were imposed on Meta-owned entities. In all but one case, the company appealed.
David McWilliams on how social media giants are making billions from fake ads
Meta was the subject of a blockbuster €1.2 billion fine in May 2023 that is still winding its way through the appeals system. That penalty was imposed by former commissioner Helen Dixon after a long investigation into transfers by Facebook of Europeans’ personal data to the US. The commission was instructed to impose the financial penalty by the European Data Protection Board, which represents 50 national and regional data regulators and must approve cross-border penalties for violations of the EU’s data rules.
Meta has also pushed back against several fines that were imposed in 2022. That year, the company was fined €17 million for data breaches that the company said were regarding record-keeping practices from 2018.
The decision followed an inquiry into a series of data breach notifications received by the commission between June and December 2018. The DPC said Meta Platforms failed to have “appropriate technical and organisational measures” in place to demonstrate the security measures that it implemented to protect EU users’ data.
[ Data Protection Commission investigates X over ‘nudification’ of images via GrokOpens in new window ]
That fine was paid by the end of the year.
A €405 million penalty followed in September, this time over the publication of teenage Instagram users’ personal details, such as phone numbers and email addresses, under default settings on the app’s business accounts.
A €265 million fine followed in November, relating to the scraping of data affecting 500 million Facebook users, and the company ended 2022 with a €180 million fine relating to Instagram.
The most recent DPC decision was announced in December 2024, when regulators imposed a €240 million fine on Meta Platforms Ireland over GDPR breaches. The company is also appealing an €11 million fine imposed on the same date, and a €91 million fine from September the same year over a 2019 incident where it was discovered the company had stored some user passwords in an easily readable format, instead of encrypting the data.
Messaging platform WhatsApp is in the process of appealing two fines – a €225 million penalty imposed in August 2021, and a €5.5 million fine handed down in January 2023.
The 2023 penalty was imposed after WhatsApp updated its terms and conditions, and required users to consent to data processing. While the fine is relatively small, WhatsApp is challenging the ruling because it says it complies with privacy rules.
[ WhatsApp wins right to challenge €225m Irish privacy fineOpens in new window ]
The platform formerly known as Twitter, meanwhile, got the honour of the first fine imposed by the DPC under the data privacy rules back in 2021. The fine, which came more than two years after the 2018 introduction of GDPR, was modest. The €450,000 penalty came after a 2018 incident saw some Twitter users’ protected tweets, which were set to be visible only to a person’s followers, open to other viewers. The DPC found Twitter had failed to inform the DPC of a data breach within a statutory 72-hour notification period, or to adequately document the problem, and the social media platform subsequently paid up.
Video-sharing platform TikTok was fined €345 million in 2023 for failing to protect children’s privacy, after an investigation into how some of its privacy settings and features complied with GDPR obligations.
Last year, the DPC fined TikTok €530 million over the alleged transfer of European user data to China. The social media giant lodged an appeal, arguing the fine was “penal”.
Microsoft-owned LinkedIn has also come under regulatory scrutiny. In 2024, the DPC fined the professional networking platform €310 million over practices linked to targeted advertising. The case came about after a 2018 complaint originally made by a French non-profit organisation. The DPC found that while LinkedIn had obtained the consent of its users for their personal data to be sent to third parties for generating targeted advertising, the consent was not “freely given, sufficiently informed or specific, or unambiguous”, a requirement of GDPR.
