Financial services and energy companies increasingly under scrutiny for GDPR violations

DLA Piper has recently published its annual report on administrative fines under the GDPR and notified personal data breaches. The report shows a 33% decrease in total fines issued compared to the previous year. Although technology and social media companies still account for the majority of fines, we see a clear trend whereby financial services and energy companies are increasingly coming under supervision.
 

According to Anna Jussil Broms, Head of Intellectual Property and Technology at DLA Piper Sweden, the decrease in total fines in 2024 is partly explained by the lack of any record fines during the year. “After an increase in administrative fines since the GDPR came into force in 2018, we are now seeing a decrease, but the number of personal data breach notifications has continued to rise,” she says.

The report also shows that the number of personal data breach notifications has increased slightly, from 335 per day in 2023 to 363 per day in 2024. The Netherlands, Germany and Poland report the highest levels of personal data breaches.

Ireland, which remains the supervisory authority that has imposed the largest administrative fines, has issued fines equivalent to €3.5 billion since May 2018. Luxembourg follows with €746.38 million over the same period.

Gustav Lundin, partner at DLA Piper in Sweden, comments on the increased supervision in new sectors: “We see GDPR supervision evolving and adapting, and also covering sectors beyond large technology companies. An example of this is the ongoing investigation by the Dutch Data Protection Authority into the possible personal liability of Clearview AI’s management team for the company’s GDPR violations.”

In 2024, the Swedish Integrity Protection Authority has also issued penalty fees against several pharmacy chains, the largest of which amounted to SEK 37 million, as well as a bank that was fined SEK 15 million for insufficient security measures when using third-party providers.

Trends for 2024:

• Decrease in penalty fees: No record fines in 2024, unlike in 2023.
• Large technology companies and social media continue to be the biggest targets for penalties.
• Increased supervision in financial services and energy.
• Examples of sanctions issued in 2024:
• Ireland: €310 million against LinkedIn and €251 million against Meta.
• The Netherlands: €290 million against a taxi app service.
• Spain: €6.2 million against a large bank.
• Italy: €5 million against an energy company.
• Sweden: Approximately €3.2 million against a pharmacy company.

In total, administrative fines under the GDPR have amounted to €5.88 billion since it came into force in 2018. The largest fine ever issued was €1.2 billion, which the Irish Data Protection Authority imposed on Meta Platforms Ireland Limited in 2023.

Read the full report here.