Irish Data Protection Commission behind a third of €3bn in European fines for GDPR breaches

The Irish Data Protection Commission was responsible for more than a third of the value of all fines issued for data breaches across the EU last year.

LA Piper found fines here made up over a third of the combined €2.92bn of fines levied by the 27 European Union states plus the UK, Norway, Iceland, and Liechtenstein last year in relation to data breaches.

Authorities here issued €1bn of fines in 2022 for data breaches – including the headline-grabbing €405m imposed against Meta Platforms Ireland relating to Instagram for failing to protect children’s personal data – according to a survey by global law firm DLA Piper.

Meta is now challenging that fine in the Irish courts.

That total was a record with so-called ad-tech, which tracks internet users in order to target them with advertising and behavioural advertising, the top enforcement priority.

Ireland’s Data Protection Commissioner (DPC) has an outsized role in policing data breaches by technology giants due to their location of key infrastructure and staff here. That ha s led to significant push back at times from regulators in other jurisdictions over a perceived lack of enforcement activity here.

DLA Piper noted that some of the largest fines imposed by the Irish DPC related to so- called behavioural profiling of social media users and whether the lawful basis of “contract necessity” could be used to legitimise mass harvesting of  their personal data.

In cases involving Facebook and Instagram,  the DPC originally concluded that this was possible. But the influential overarching privacy  regulatory board, the European Data Protection Board, disagreed.

In the end,  the DPC issued penalties of €210m against Facebook and €180m against Instagram related to the social networks’ efforts to unlawfully force users to accept changes to terms of service.

DLA Piper says the current wave of fines is likely to spark lengthy appeals but raises serious questions about what i s described as the “grand bargain” at the heart of the digital economy whereby “free” digital services are funded by gathering users’  data and marketing it to advertisers.

Partner and Head of Data Protection, Privacy & Information Security at DLA Piper Ireland, John Magee, also noted that headline-grabbing fines may be having an effect on compliance more generally.

“This year’s report also found that the average number of notified data breaches per day – both in Ireland and across Europe – fell for the first time since GDPR came into force in 2018,” he said.

“The fear of investigations, fines and compensation claims is likely driving what is a small but significant reduction in breach reporting numbers.” he said.