Top GDPR Fines in December 2024: Key Lessons for Compliance

Top GDPR Fines in December 2024: Key Lessons for Compliance
Photo by Paulius Dragunas / Unsplash

The General Data Protection Regulation (GDPR) has continued to enforce its strict standards on organizations across the EU, emphasizing the importance of data protection and privacy compliance. December 2024 saw significant fines imposed on companies that failed to meet GDPR requirements. Here’s a breakdown of the top five fines, the violations that led to them, and the lessons organizations can learn.

1. OpenAI’s €15 Million Fine in Italy

The Italian Data Protection Authority (Il Garante) fined OpenAI €15,000,000 for multiple GDPR violations related to its ChatGPT chatbot. This fine stemmed from OpenAI’s failure to report a data breach within the required 72-hour window, a critical GDPR requirement under Article 33. Further investigations revealed:

  • Violations of the principles of legality, transparency, and accuracy.
  • Lack of a legal basis for processing data used to train its AI models.
  • Insufficient privacy notices provided to users.

This case underscores the importance of timely breach reporting and establishing a legal basis for all data processing activities. Organizations must also ensure transparency in their data practices and provide adequate privacy notices to users.


2. Netflix’s €4.75 Million Fine in the Netherlands

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) fined Netflix €4,750,000 for inadequate privacy notices between 2018 and 2020. Specific shortcomings included:

  • Vague descriptions of the purposes of data processing.
  • Insufficient details on data access, retention periods, and data recipients.

This complaint was initiated by the Austrian organization noyb (None of Your Business), highlighting the growing role of privacy advocacy groups in GDPR enforcement. Organizations must ensure that privacy policies are comprehensive, clear, and compliant with GDPR standards.


3. Meta’s €251 Million Fine in Ireland

Ireland’s Data Protection Commission penalized Meta for a security vulnerability in Facebook’s “View-As” function. The vulnerability allowed unauthorized access to 3.3 million EU user profiles. Violations included:

  • Breaches of data protection by design and by default principles.
  • Failure to meet breach reporting obligations under Article 33.

Meta’s fine serves as a reminder of the need for robust security measures and proactive identification of vulnerabilities. Companies should adopt a privacy-by-design approach and conduct regular security audits to protect user data.


4. KASPR’s €240,000 Fine in France

France’s CNIL (Commission Nationale de l'Informatique et des Libertés) fined KASPR €240,000 for unlawfully collecting contact data from LinkedIn profiles without user consent. Violations included:

  • Relying on “legitimate interest” without user consent.
  • Failing to meet transparency and information obligations.

This case highlights the risks of scraping personal data from online platforms. Businesses must ensure they have user consent and comply with transparency requirements when processing personal data.


5. €17,366 Fine for a Rental Company in Sweden

A rental company in Sweden faced a €17,366 fine for installing video surveillance cameras in a multi-family building’s common areas without sufficient justification. The Swedish Data Protection Authority (Integritetsskyddsmyndigheten) found:

  • Unlawful surveillance.
  • Failure to inform residents about the cameras.

This fine illustrates that even small organizations are subject to GDPR enforcement. Businesses must assess the necessity and proportionality of surveillance and meet their obligation to inform individuals about data collection practices.


Key Takeaways for Organizations

These fines provide valuable lessons for organizations operating within the EU:

  1. Prioritize Transparency: Clearly inform users about how their data is collected, processed, and shared.
  2. Establish Legal Grounds for Processing: Ensure data processing activities have a lawful basis, such as consent or legitimate interest, and document this thoroughly.
  3. Enhance Security Measures: Regularly audit systems to identify and mitigate vulnerabilities. Adopt privacy-by-design principles.
  4. Comply with Reporting Obligations: Promptly report data breaches to regulatory authorities to avoid additional fines.
  5. Review Surveillance Practices: Ensure video monitoring is lawful, necessary, and proportionate, and inform individuals about its purpose.

Other Fines

LinkedIn – €310 Million Fine
In October 2024, the Irish Data Protection Commission fined LinkedIn €310 million for violating GDPR in its advertising practices. The investigation revealed that LinkedIn used both member-provided data and information from third-party partners for behavioral analysis and targeted advertising without obtaining formal user consent, thereby infringing Articles 5, 6, 13, and 14 of the GDPR.

Uber – €290 Million Fine
In August 2024, Uber faced a €290 million fine from the Dutch Data Protection Authority for storing European drivers' sensitive personal data in the United States without adequate safeguards. The data included payment details, identity documents, location data, and medical and criminal records. This breach violated GDPR's stipulations on international data transfers, especially following the invalidation of the EU-U.S. Privacy Shield in 2020.

Meta Platforms Ireland Limited – €91 Million Fine
In 2024, Meta was fined €91 million for GDPR breaches, including unauthorized data processing and lack of transparency in its operations. The specifics of the violations were not detailed in the available sources.

Enel Energia SpA – €79.1 Million Fine
Enel Energia SpA, an Italian energy company, was fined €79.1 million in 2024 for GDPR violations. The details of the infractions were not specified in the available sources.

Amazon France Logistique – €32 Million Fine
In 2024, Amazon France Logistique was fined €32 million for breaches of GDPR regulations. The specific nature of the violations was not detailed in the available sources.

Conclusion

As GDPR enforcement continues to hold organizations accountable, compliance must remain a top priority for businesses of all sizes. The financial and reputational costs of non-compliance can be significant. By learning from these cases, organizations can strengthen their data protection practices and avoid similar penalties.

Read more