GDPR Offenders Shell Out Over $1 Million Daily in Fines during 2024
Since its inception in 2018, the General Data Protection Regulation (GDPR) has seen a staggering issuance of 2,083 fines, totaling €4.5 billion ($4.9 billion) in penalties as of April 2024.
Data from Finbold indicates a sustained crackdown on privacy infringements against European citizens, resulting in fines amounting to €137 million ($149 million) from January 1 to April 30, 2024. Companies violating GDPR provisions have been hit with daily fines averaging €1.1 million ($1.2 million) during this period, with Spain alone accounting for 30 of the 76 penalties issued.
In the initial four months of 2024, offending companies faced an average penalty of approximately €1.8 million ($1.95 million) per violation. These figures are sourced from the GDPR Enforcement Tracker, national regulators’ announcements, and previous reports by Finbold.
Notably, while no single fine in 2024 surpassed the record-breaking penalty imposed by the Republic of Ireland on Meta Platforms (NASDAQ: META) in 2023—amounting to €1.2 billion ($1.3 billion)—the year witnessed several significant fines.
In early February, the Italian government fined Enel Energia, an electricity and gas provider, €79 million ($86 million) for unlawfully obtaining private data for telemarketing. Following closely was a €32 million ($34.7 million) fine against Amazon France Logistique by France, stemming from its intrusive employee surveillance system.
In April, the Czech Republic imposed the third-largest penalty of the year, fining Avast Software nearly €14 million ($15 million) for sharing user data with Jumpshot for targeted marketing. Hellenic Post faced a €3 million ($3.2 million) fine for failing to prevent data leaks to the dark web. Additionally, UniCredit Bank was fined €2.8 million ($3 million) by the Italian government for insufficient data security measures following a cyber attack.
Despite ongoing efforts by EU regulators to address privacy concerns, the fines issued in the first four months of 2024 underscore the persistent challenges. Notably, several large penalties relate to past incidents, such as the UniCredit Bank cyber attack from 2018 and Avast’s data sharing in 2019. Similarly, Amazon France Logistique’s violations targeted temporary workers during the April 2020 pandemic lockdown, raising questions about regulatory timeliness.
While European law enforcement’s actions demonstrate a commitment to data security and privacy, the timing of severe violations highlights potential shortcomings in the enforcement system envisioned by the GDPR.