Sign in Subscribe

GDPR Report: €4.2B in fines, 72% awareness, 6,680 enforcement actions

EU Commission's 2nd GDPR report reveals €4.2B in fines, 72% public awareness, and 6,680 enforcement actions since 2018.

GDPR Report: €4.2B in fines, 72% awareness, 6,680 enforcement actions
European Comission

Subscribe the Newsletter

On July 25, 2024, the European Commission published its second report on the application of the General Data Protection Regulation (GDPR), providing a comprehensive assessment of the landmark privacy law's impact since its implementation in 2018. The report, released just last month, examines the GDPR's effectiveness, challenges, and areas for improvement across the European Union.

According to the Commission's findings, the GDPR has largely achieved its twin objectives of empowering individuals and creating a level playing field for businesses operating in the EU's digital market. The report highlights increased awareness among EU citizens about their data protection rights, with 72% of respondents across the EU indicating familiarity with the GDPR.

The Commission's evaluation reveals that data protection authorities have significantly ramped up enforcement efforts. Since the GDPR's implementation, authorities have imposed over 6,680 fines totaling approximately €4.2 billion. Ireland's data protection authority has levied the highest total amount of fines at €2.8 billion, followed by Luxembourg at €746 million.

Complementing the Commission's report, the privacy watchdog organization noyb (None of Your Business) released its 2023 annual report last month as well, highlighting significant victories in GDPR enforcement. According to noyb, their efforts led to over €2 billion in GDPR fines against major tech companies in 2023 alone. The organization reported filing 210 complaints and winning 11 court cases throughout the year, demonstrating the increasing role of civil society organizations in holding companies accountable for data protection violations.

Despite these positive developments, the Commission's report identifies several areas requiring further attention. One key challenge is the need for more consistent interpretation and application of the GDPR across member states. The Commission notes that diverging interpretations of key data protection concepts by national authorities create legal uncertainty and increase compliance costs for businesses, particularly for small and medium-sized enterprises (SMEs).

Privacy advocate sues Hamburg DPA over ‘Pay or OK’ consent banner decision
noyb files lawsuit against Hamburg data protection authority for approving DER SPIEGEL’s controversial consent practices.
PPC LandLuís Daniel Rijo

To address these issues, the Commission has proposed new procedural rules to streamline the handling of cross-border cases. This proposal, currently under negotiation by the European Parliament and Council, aims to harmonize administrative procedures and enhance cooperation between national data protection authorities.

The report also emphasizes the importance of international data transfers in today's globalized economy. Since 2020, the EU has adopted new adequacy decisions for the United Kingdom and the Republic of Korea, allowing for the free flow of personal data to these countries. Additionally, the EU-US Data Privacy Framework, adopted in 2023, has facilitated data transfers between the EU and the United States.

However, the Commission acknowledges ongoing challenges related to international data transfers, particularly in light of the Court of Justice of the European Union's Schrems II judgment. This ruling invalidated the previous EU-US Privacy Shield and imposed stricter requirements for data transfers to third countries.

To address these challenges, the Commission has developed modernized standard contractual clauses (SCCs) and is working on additional tools to assist organizations in complying with international data transfer requirements. The report also highlights the need for increased cooperation with data protection authorities in third countries to ensure effective enforcement of the GDPR against non-EU entities targeting the European market.

The Commission's report underscores the GDPR's role as a cornerstone of the EU's digital policy framework. It notes that several recent EU initiatives, such as the Digital Services Act, the AI Act, and the Data Act, build upon and complement the GDPR's principles.

Looking ahead, the Commission identifies key areas of focus for the coming years:

  1. Robust enforcement of the GDPR, including swift adoption of the proposed procedural rules.
  2. Proactive support for stakeholders, especially SMEs, in their compliance efforts.
  3. Ensuring consistent interpretation and application of the GDPR across the EU.
  4. Enhancing cooperation between regulators at national and EU levels.
  5. Advancing the EU's international strategy on data protection.

The report calls on various stakeholders, including the European Data Protection Board, national data protection authorities, and Member States, to take specific actions to address these priorities. For instance, it urges Member States to ensure the full independence and adequate resourcing of their national data protection authorities.

The Commission itself commits to several actions, including continued monitoring of Member States' compliance with the GDPR, supporting exchanges between national authorities, and reflecting on ways to improve cross-regulatory cooperation in the digital sphere.

This comprehensive evaluation of the GDPR's application comes at a critical juncture for data protection in the EU. As the digital landscape continues to evolve rapidly, with emerging technologies like artificial intelligence presenting new challenges, the GDPR's principles of data protection and individual empowerment remain more relevant than ever.

The report's findings and recommendations are likely to shape the future of data protection policy in the EU and beyond. As businesses, policymakers, and individuals grapple with the complexities of data protection in the digital age, the GDPR's ongoing evolution and implementation will undoubtedly play a crucial role in shaping the landscape of privacy rights and data governance for years to come.

Key Facts

The report was published on July 25, 2024.

72% of EU respondents are aware of the GDPR.

Over 6,680 fines totaling €4.2 billion have been imposed since GDPR implementation.

Ireland has imposed the highest total fines at €2.8 billion.

New adequacy decisions have been adopted for the UK, Republic of Korea, and the US.

The Commission has proposed new procedural rules for handling cross-border cases.

The report identifies 5 key focus areas for the future of GDPR application.

Several recent EU digital initiatives build upon and complement the GDPR.

Noyb's efforts led to over €2 billion in GDPR fines against major tech companies in 2023.

Subscribe the Newsletter