Review of GDPR fines and data breaches 2024
31. January 2025Review of GDPR fines, court rulings, and security incidents in 2024
As 2024 draws to a close, we would like to take a look back at the year, as we have done in previous years. In addition to reviewing the fines imposed by data protection supervisory authorities, we have decided to include relevant court rulings and security incidents in our review this year. A lot has happened – time to review the year.
Decline in the total amount
While the total amount of fines has grown steadily over the last two years, a decline must be noted for 2024. While the total was still EUR 2.11 billion in 2023, it fell to EUR 1.22 billion this year. It should be noted that when querying our database, we only record fines for which the date of the decision is known. The query period covered January 1 to December 31, 2024. The decline is partly due to the fact that the 2023 figures are distorted by the €1.2 billion fine imposed on Meta by the Irish Data Protection Authority. There was no such record-breaking fine this year, but there were several fines in the tens of millions. Among others, LinkedIn, Meta, and Uber received heavy penalties.
In October, the Irish Data Protection Authority imposed a €310 million fine on LinkedIn after a complaint was filed in 2018 by the French non-profit La Quadrature du Net. The company had used personal data collected by itself and through third-party providers to perform behavioral analysis of its users and serve targeted advertising. Users had not given their consent for this and were not adequately informed about the collection and processing of their data.
Shortly before Christmas, Meta was hit again: a system vulnerability had led to a data breach, resulting in unauthorized access to 29 million Facebook user accounts, 3 million of which were located in the EU. The perpetrators used an exploit in the platform's “View As” feature to create fake user tokens in order to access the accounts. The authority subsequently imposed a €251 million fine.
After receiving an increasing number of complaints, the Dutch data protection authority launched an investigation into the ride-hailing company Uber. It was found that the company transferred personal data of its drivers to the US without ensuring adequate protection. The violation resulted in a €290 million fine.
German fines
German data protection authorities imposed only 266 fines totaling around EUR 2.5 million over the course of last year. Since not all authorities have commented on the number and amount of fines, this figure should be understood as a lower limit. Compared to the previous year, there has been a clear decline in the amount and number of fines – in 2023, there were 357 fines totaling EUR 4.94 million. With 73 fines imposed, Bremen was at the top of the list this year in terms of number. Hesse followed with 47, followed by Thuringia with 38 fines imposed.
The highest fine was imposed by the Hamburg Commissioner for Data Protection and Freedom of Information against a service provider in the amount of EUR 900,000. By mid-November 2023, this service provider had collected six-figure data sets, all of which contained personal information. Some of these had been stored for five years beyond the retention period. There was no legal basis for this.
The second-highest fine in 2024, amounting to EUR 220,000, was imposed by the State Commissioner for Data Protection of Lower Saxony on a credit institution. The bank had used its customers' personal information to create profiles of them, which it then used to contact them for targeted advertising purposes. In the opinion of the data protection officer, this constituted a change of purpose that could not have been expected by the customers.
Fines imposed by the Federal Network Agency
As in the previous year, we also inquired with the Federal Network Agency (BNetzA) in addition to the German data protection authorities. Although this authority does not impose fines under the GDPR, the fines often relate to data protection issues, such as unauthorized contact for advertising purposes. In 2024, the BNetzA imposed eleven fines totaling EUR 1.373 million. As in 2023, most cases involved so-called cold calls, in which consumers were confronted with unauthorized advertising calls. According to Section 7 (2) No. 1 of the Unfair Competition Act (UWG), these calls constitute unreasonable harassment and can be punished with fines. In addition, in 2024, the Federal Network Agency imposed fines for violations of the prohibition on number suppression in advertising calls pursuant to Section 28 (1) No. 9 in conjunction with Section 15 (2) first half-sentence TDDDG (formerly TTDSG).
Comparison with other EU countries
As in previous years, we have compared the activities of the German authorities with the fine practices of other large EU countries. This year, we again took a closer look at France, Spain, and Italy.
France
The French data protection authority CNIL recorded a decline in the total amount of fines for 2024, although the number of fines continued to rise. While there were 42 sanctions with a total value of ~€89.1 million in 2023, the number rose to 87 fines with a total value of ~€55.2 million in 2024. The majority of this was accounted for by a fine of €50 million imposed on the telephone provider Orange. In the simplified procedure, the authority imposed 69 sanctions with a total amount of €715,000, which represents a threefold increase compared to the previous year. Under the simplified procedure, the authority imposed 69 sanctions with a total amount of EUR 715 thousand, which is three times as much as in the previous year.
Spain
In contrast to the previous year, Spain recorded a significant increase. Although the total number of fines imposed was slightly lower than in the previous year (309) at 289, the total amount of fines significantly exceeded the previous year's figure: At just under EUR 38.6 million, it was significantly higher than the EUR 9.3 million in 2023. The reason for this increase was an increase in fines in the mid-single-digit million range, such as the fine against “The Phone House Spain” with EUR 6.5 million following a ransomware attack, the energy supplier Endesa Energía with EUR 6.1 million for inadequate response to a security breach, and the bank Caixabank with EUR 5 million for transmitting a customer's receipt to unauthorized third parties.
Italy
Italy also saw a significant increase. With 146 fines imposed, not only did the number increase compared to the previous year (124), but so did the total amount: the €25 million from 2023 is now €122 million from this year. The reason for the increase is mainly the authority's efforts to crack down on illegal telemarketing – with EUR 79.1 million, the authority imposed its highest ever fine on Enel Energia for failing to adequately secure databases against unauthorized access. But OpenAi, with EUR 15 million for violating transparency requirements and failing to verify age, and EUR 5 million against Foodinho for the unlawful processing of location data also made headlines this year.
Result of the comparison
In direct comparison with other large EU countries, the German supervisory authorities are once again lagging behind, as in previous years, while Italy in particular is making significant gains. Large fines in the millions are rather rare in Germany.
Data breaches
In 2024, the number of data breaches reported to the German supervisory authorities in accordance with Art. 33 GDPR will decrease. At the time of publication of this article, this figure stands at 8,623, which represents a significant decrease compared to 2023 (24,749). As statistics on reported data breaches were not available from all supervisory authorities at the time of publication of this article, the article will be revised accordingly when additional reports are received, and the figure should be understood as a lower limit.
Hesse recorded the most breaches in 2024 (2,141), followed by Berlin (1,262) and Saxony (1,002). As in the previous year, the majority of data breaches were related to hacker attacks, data loss, incorrect document delivery, or technical defects.
Security incidents
This year, we would like to add another section and present the most important security incidents of the year. We start this year's security incidents with what is probably the biggest incident. On July 19, 2024, there were massive IT failures worldwide, which also brought infrastructures such as airports, subway networks, and emergency calls to a standstill. Over 8.5 million devices displayed blue screens of death (BSOD) and got stuck in a boot loop. The trigger was a faulty file in CrowdStrike software that had been downloaded via a Windows update. Payment systems for supermarkets were also affected, some of which had to fall back on cash payments or close completely. Investigations following the incident revealed that a quarter of Fortune 500 companies were affected by the CrowdStrike outage. Losses from the outages are estimated at $5.4 billion, and legal proceedings against the company are still ongoing.
At the beginning of the year, cloud provider Snowflake was hit after attackers gained access via an inadequately secured employee account. They then stole sensitive data such as names, email addresses, and phone numbers. Addresses and some credit card information were also stolen. Among the companies affected were Ticketmaster and Santander Bank. It is estimated that the data of 560 million people was compromised.
But ransomware groups were also anything but idle this year. Two attacks on US companies are particularly noteworthy here. The pharmaceutical technology giant Change Healthcare, a UnitedHealth Group company, was the victim of a massive ransomware attack. Its websites were barely accessible, if at all, and prescriptions could not be filled. The ransomware group ALPHV/BlackCat claimed to have captured 6 TB of data, including source code and information on the military programs in which Change Healthcare is involved, as well as various other insurance options. According to the company, the data of at least 100 million people was compromised. Current estimates put the cost of the ransomware attack at $2.457 billion – but this figure could rise, as the first state has already announced plans to sue Change Healthcare over the incident. Cleo Communications also fell victim to a ransomware group, but this time at the end of the year. The company's various file transfer software solutions were massively attacked. The reason for the intrusion was an insufficiently patched security vulnerability.
But hackers weren't the only ones responsible for security incidents, as the Cariad case shows. The VW subsidiary came to attention after detailed data on 800,000 electric vehicles belonging to the VW Group was discovered on an unprotected web server. Using additional access data from a VW-owned service, app users could be queried and linked to the vehicles. This made it possible to view a detailed movement profile and email address. In some cases, the address and mobile phone number were also visible. A complete list of all those affected would go beyond the scope of this report. Not enough? If you want to find out what happened to the IHK, Goethe University Frankfurt, or Caritas in 2024, you can find detailed information in our security incidents section.
Court decisions
As in the previous year, we would like to take this opportunity to report on the special decisions made this year.
Among other things, the third round in the Schrems v. Meta legal dispute was particularly relevant this year. In decision C-446-21, Schrems complained about the fact that he had frequently received advertisements specifically targeting homosexuals. However, there were no references to his sexual orientation on his profile. Schrems argued that these advertisements were the result of an analysis of his interests, which he considered unacceptable. In its ruling, the ECJ made it clear that social network operators may not use additional data from third-party providers to create personalized advertisements through analysis and aggregation. The ruling is likely to have a huge impact, as it more or less turns the entire business model of the company upside down.
There were also two important decisions regarding data retention: In its decision C-470-21, the ECJ allowed more possibilities for data retention in the context of preventive storage of IP addresses, but restricted these in its decision C-178-22. Judicial review of data retention is necessary, as it carries the risk of serious interference with the fundamental rights of the data subject. If you are interested and would like to stay up to date, please take a look at our database!
Outlook
2024 was an exciting year with numerous events and changes. But 2025 already promises to be just as eventful. The AI boom will not only occupy data protection authorities—organizations that develop, deploy, and use AI will also have to deal more intensively with the relationship between AI and data protection law in 2025. The boundaries of what constitutes lawful use of personal data within AI models and what does not remain unclear. With the new US President Trump and his declared cautious approach to AI regulation, tensions with the more heavily regulated European market are likely to arise.
The attempt by European data protection authorities to hold executives and managing directors of companies, as well as other members of management bodies, personally liable for violations of the GDPR will also attract attention in 2025. The Dutch data protection authority has announced that it will investigate whether the directors of Clearview AI can be held personally liable for the company's alleged ongoing violations of the GDPR. This investigation is considered a high-profile example, as personal liability is a powerful lever for driving compliance.
The “consent or pay” model will also be put to the test in 2025. The European Data Protection Supervisor and the Irish Data Protection Authority have virtually ruled out the possibility of contracts or legitimate interests being used as a basis for processing personal data for advertising purposes. This leaves consent as the only option. The EDPB opinion considers consent or payment models of large platforms to be mostly incompatible with the GDPR. Meta will now challenge these findings before the Court of Justice of the European Union – we remain excited to see what happens!
Overview by supervisory authority
The table includes the fines reported to us by the supervisory authorities. It will be updated accordingly as the authorities submit further information.
| Supervisory authority | Fines total | Total in € | Data breaches |
|---|---|---|---|
| Baden-Württemberg | n.a. | n.a. | n.a. |
| Bavaria (non-public sector) | n.a. | n.a. | n.a. |
| Bavaria (public sector) | 0 | 0 | n.a. |
| Berlin | 21 | 72.030 | 1.262 |
| BfDI | n.a. | n.a. | n.a. |
| Brandenburg | 5 | 33.500 | 505 |
| Bremen | 73 | 207.702 | 199 |
| Hamburg | 20 | 1.119.704 | 955 |
| Hessen | 47 | 554.986 | 2.141 |
| Mecklenburg-Vorpommern | n.a. | n.a. | n.a. |
| Lower Saxyon | n.a. | n.a. | n.a. |
| North Rhine-Westphalia | n.a. | n.a. | n.a. |
| Rhineland-Palatinate | 12 | 15.600 | 752 |
| Saarland | 18 | 269.423 | 884 |
|
Saxony (public sector) Saxony (non-public sector) |
11 18 |
14.580 199.000 |
1.002 |
| Saxony-Anhalt | n.a. | 14.230 | n.a. |
| Schleswig-Holstein | 3 | 1.614 | 602 |
| Thuringia | 38 | 50.840 | 321 |
| Total | 266 | 2.543.209 | 8.623 |