DLA Piper publishes 2025 GDPR Fines and Data Breach Survey

The latest annual GDPR Fines and Data Breach Survey by DLA Piper reveals that EU data protection authorities (DPAs) issued fines totalling €1.2 billion in 2024. While this represents a 33% decrease compared to 2023, the report attributes the dip to the absence of a single record-breaking penalty, such as the €1.2 billion fine issued to Meta in May 2023. Despite this, the long-term trend remains upward, with total fines issued since 2018 now reaching €5.88 billion.

Ireland continues to be the dominant country in enforcement terms, having issued €3.5 billion in penalties in total, more than four times the amount issued by Luxembourg, the second-place country. While Big Tech and social media companies remain the primary targets, enforcement has crossed into financial services and energy, with significant penalties issued in Spain and Italy.

DPA Piper finds that a significant shift in regulatory focus involves the emergence of personal liability for management. The Dutch DPA is currently investigating whether directors of Clearview AI can be held personally liable for company failings, a move intended to drive better governance and compliance. In contrast, the UK remains an outlier, as Information Commissioner John Edwards has indicated a preference for issuing formal reprimands and enforcement notices rather than monetary penalties, which he claims would tie the regulator up in protracted litigation.

The report finds that breach notifications have levelled off, averaging 363 per day. The cause of this plateauing is suggested to reflect increased organisational concerns due to the risks of follow-on enforcement and compensation claims. 

Looking ahead, the enforcement of artificial intelligence (AI) technologies is expected to intensify as DPAs assess the alignment of AI systems with the GDPR, which DLA Piper concludes will require organisations to implement more robust privacy-by-design frameworks.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.