Since the introduction of the General Data Protection Regulation (GDPR) policy in 2018, a whopping 2,083 fines have been issued, with penalties amounting to €4.5 billion ($4.9 billion) in total by the end of April 2024.
According to the data compiled by Finbold, the watchdogs have continued their efforts to crack down on privacy violations against European citizens in 2024 and have fined violators a total of €137 million ($149 million) between January 1 and April 30.
The data shows that companies breaching the provisions of GDPR have been paying—on average—as much as €1.1 million ($1.2 million) per day through the first 120 days of 2024. In total, 76 penalties have been issued in the four months, with Spain accounting for as many as 30.
During the first full months of 2024, the average amount paid by violating companies was approximately €1.8 million ($1.95 million).
The fines are based on the GDPR Enforcement Tracker, announcements from relevant national regulators, and Finbold’s earlier GDPR Fines reports.
The biggest GDPR fines of 2024
Though none of the fines levied in 2024 broke the record set by the Republic of Ireland in 2023 when it compelled Mark Zuckerberg’s Meta Platforms (NASDAQ: META) to pay €1.2 billion ($1.3 billion), the year nonetheless featured the imposition of multiple large penalties.
According to the official announcement, in early February, Enel Energia—an electricity and gas supplier—was penalized by the Italian government for illicitly acquiring private individuals’ data for telemarketing purposes. The fine amounted to €79 million ($86 million).
The second-biggest fine—€32 million ($34.7 million)—was levied against Amazon France Logistique by France for setting up an inappropriately intrusive surveillance system intended to monitor employees’ activity and productivity.
In April, the Czech Republic became responsible for the third-biggest penalty of the year. Avast Software, best known for its antivirus software, was found responsible for forwarding its users’ data to a firm called Jumpshot Jumpshot for personalized marketing purposes. As a result, the online security company was compelled to pay a penalty of nearly €14 million ($15 million).
Hellenic Post – the state-owned postal service – became the target of the fourth-largest fine of 2024 when the Greek watchdog found that it had failed to prevent personal data from being leaked to the dark web. In turn, Hellenic Post was forced to pay a penalty of €3 million ($3.2 million).
Finally, the gift-largest penalty was issued to UniCredit Bank by the Italian government. Similar to Hellenic Post, the banking giant was found to have insufficient measures to ensure data security – and has, thus, been the target of a significant cyber attack that led to a large-scale data breach – and was fined €2.8 million ($3 million).
EU regulators continue to deal with a backlog of data breaches
Despite the European regulators’ continued efforts to tackle privacy and security issues, the fines levied in the first four months of 2024 highlight the scale of the issue. Indeed, several of the largest penalties issued since the year started pertain to old issues.
For example, the UniCredit Bank cyber attack and data breach took place six years ago in 2018. Similarly, Czech law enforcement confirmed that Avast was forwarding its users’ data only in a relatively brief period during 2019.
Similarly, at least a part of the GDPR violations made by Amazon France Logistique targeted temporary workers in April 2020 – a period noted for companies being granted more leeway to offset the hardships of the Covid-19 pandemic and the resulting lockdowns.
Ultimately, while the actions of European law enforcement since the start of 2024 highlight the bloc’s commitment to ensuring data security and privacy for the people of Europe, the timing of many of the most severe violations showcases the scale of the issue and hints toward possible deficiencies in the system given the apparent tardiness of the fining.
The matter is especially pointed given that the GDPR was passed, in part, to streamline data protection enforcement and expedite the regulators’ efforts.
