Since the implementation of the General Data Protection Regulation (GDPR) in 2018, a staggering 2,083 fines have been issued, totaling €4.5 billion ($4.9 billion) in penalties by April 2024.
According to data compiled by Finbold, watchdogs have sustained their crackdown on privacy breaches against European citizens in 2024, imposing fines totaling €137 million ($149 million) from January 1 to April 30. The figures reveal that companies violating GDPR provisions have been forking out an average of €1.1 million ($1.2 million) per day during the first 120 days of 2024. Over the four-month span, 76 penalties were issued, with Spain accounting for 30 of them.
In the initial months of 2024, offending companies paid an average of approximately €1.8 million ($1.95 million) each. The fines are sourced from the GDPR Enforcement Tracker, official announcements from relevant national regulators, and Finbold’s previous GDPR Fines reports.
The Major GDPR Fines of 2024
While none of the fines in 2024 surpassed the record set by the Republic of Ireland in 2023, when it compelled Mark Zuckerberg’s Meta Platforms to pay €1.2 billion ($1.3 billion), the year witnessed several substantial penalties.
In early February, the Italian government fined Enel Energia, an electricity and gas supplier, €79 million ($86 million) for unlawfully obtaining individuals’ data for telemarketing. The second-largest fine, €32 million ($34.7 million), was imposed on Amazon France Logistique by France for implementing an excessively invasive surveillance system to monitor employees.
In April, the Czech Republic imposed the third-largest penalty of the year. Avast Software, renowned for its antivirus solutions, was held accountable for sharing user data with Jumpshot Jumpshot for personalized marketing, resulting in a fine of nearly €14 million ($15 million).
The Greek watchdog fined Hellenic Post, the state-owned postal service, €3 million ($3.2 million) for failing to prevent personal data leakage to the dark web. Lastly, UniCredit Bank received the fifth-largest penalty from the Italian government, amounting to €2.8 million ($3 million), due to inadequate security measures leading to a significant cyber attack and data breach.
EU Regulators Address Data Breach Backlog
Despite ongoing efforts by European regulators to address privacy and security concerns, the fines issued in the first four months of 2024 underscore the magnitude of the issue, with several major penalties relating to past incidents. For instance, the UniCredit Bank cyber attack occurred in 2018, while Avast’s data sharing took place briefly in 2019.
Additionally, some of Amazon France Logistique’s GDPR violations targeted temporary workers in April 2020, during a period marked by leniency to mitigate the impact of the Covid-19 pandemic and ensuing lockdowns. Although European law enforcement’s actions in 2024 demonstrate the bloc’s dedication to safeguarding data security and privacy, the timing of many severe violations highlights potential shortcomings in the system, considering the apparent delay in imposing fines, despite GDPR’s aim to streamline enforcement and expedite regulatory efforts.
