The largest fine last year was when the Irish DPC slammed Instagram with a €405m fine for GDPR violations relating to children’s privacy.
European data regulators issued €1.64bn in GDPR fines last year, according to global law firm DLA Piper.
More than €1bn of the fines were issued by Ireland’s Data Protection Commission (DPC).
The firm published results of its annual GDPR and data breach survey for 2022 today (17 January). The survey looks at all the data regulation-related fines imposed in the 27 EU member states as well as the UK, Norway, Iceland and Liechtenstein.
Last year’s highest fine was imposed in November when the Irish DPC slammed Meta with a €405m fine for GDPR violations relating to children’s privacy on Instagram.
DLA Piper also found that 2022 was a record year for regulatory action with a 50pc year-on-year increase in the total fines issued across Europe.
The firm said that several of the largest fines imposed against Meta last year by the Irish DPC relate to Facebook and Instagram’s behavioural profiling of users and whether the lawful basis of “contract necessity” can be used to legitimise the mass harvesting of personal data.
“The Irish regulator issued fines amounting to more than €1bn euro throughout the year meaning the DPC is now top of the European table in terms of the total value of fines issued for GDPR violations,” said John Magee, partner at DLA Piper Ireland.
“It is clear from activity throughout the year that the GDPR’s consistency mechanism, which was put in place to ensure that EU data protection law is enforced uniformly across all member states, has resulted in a tougher approach being taken by the DPC.
“While most of the larger headline-grabbing fines have been levied against social media companies, the DPC is increasingly looking at organisations from all sectors so businesses across the board would be well advised to get their house in order to avoid sanctions.”
This year’s survey also found that the average number of notified data breaches across Europe fell for the first time since GDPR was introduced in 2018. This might suggest that organisations are becoming warier of notifying breaches for fear of investigations and fines.
“The fear of investigations, fines and compensation claims is likely driving what is a small but significant reduction in breach reporting numbers,” added Magee.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
Updated, 9.55am, 24 January 2023: This article was updated to include amended figures released by DLA Piper.