width="2486" height="1398" sizes="(max-width: 2486px) 100vw, 2486px">Fines and their strict enforcement are an effective way of reminding everyone involved to stick to the rules as much as possible.AVN Photo Lab shutterstock.comData protection authorities in Europe imposed fines amounting to 1.2 billion last year according to the seventh edition of commercial law firm DLA Pipers GDPR Fines and Data Breach Survey. For the period since January 28, 2024, this represents a decrease of 33 percent compared to the fines of the previous year. This is the first year-on-year decline in fines, it said although 2023 was unusual: Ireland fined Meta a record 1.2 billion that year, and no comparable fines were imposed in 2024.In total, the fines imposed since GDPR came into force in May 2018 amount to 5.88 billion. Large technology companies and social media giants in particular have had to pay. Almost all of the ten highest fines imposed since 2018 relate to the tech industry, including the fines of 310 million euros imposed on LinkedIn by the Irish data protection authority in 2024 and a 251 million fine for Meta.Ireland continues to impose the most fines by a wide margin: since May 2018, it has now imposed fines of 3.5 billion. In comparison, Germany has imposed fines totaling 89.1 million since the GDPR came into force. According to DLA Piper, the German data protection authorities are focusing on breaches of the integrity, confidentiality and security of data processing.GDPR remains a powerful instrumentThis years results show that the data protection authorities in Europe continue to follow a clear line, commented Jan Geert Meents, partner in the German Intellectual Property & Technology (IPT) practice group at DLA Piper, on the latest study results. The decline in the total volume of fines is ultimately due to extraordinary events in the previous year and does not mean a slowdown in regulatory activities. The GDPR remains a powerful tool to ensure data protection and promote compliance. This is particularly true for Germany.Data protection activists, on the other hand, have a much more sober view of the current situation in terms of procedures and fines. The noyb association with its CEO Max Schrems even speaks of inactivity of national data protection authorities. On average, only 1.3 percent of all cases before the data protection authorities result in a fine, the activists report, citing statistics from the European Data Protection Board (EDPB).Proceedings take too longThe idea that the GDPR has brought about a shift towards a serious approach to data protection has largely proven to be wishful thinking, according to a statement from noyb. European data protection authorities have all the necessary means to adequately sanction GDPR violations and issue fines that would prevent similar violations in the future, Schrems says. Instead, they frequently drag out the negotiations for years only to decide against the complainants interests all too often.The activists speak of a specific phenomenon in data protection. in 2022, for example, the Spanish data protection authority received 15,128 complaints. However, only 378 fines were imposed including obvious violations such as unanswered requests for information or illegal cookie banners, which could theoretically be dealt with quickly and in a standardized manner. Those responsible at noyb cite the following as a comparison: 3.7 million speeding tickets were issued in Spain in 2022. Similar ratios would apply to practically all other EU member states.Data protection authorities lack the motivation to enforce the law entrusted to them, complains Max Schrems, CEO of noyb.David Bohmann PIDSomehow its only data protection authorities that cant be motivated to actually enforce the law theyre entrusted with, criticizes Schrems. In every other area, breaches of the law regularly result in monetary fines and sanctions. Data protection authorities often act in the interests of companies rather than the data subjects, the activist suspects.Fines motivate complianceIt is precisely fines that motivate companies to comply with the law, reports the association, citing its own survey. Two-thirds of respondents stated that decisions by the data protection authority that affect their own company and involve a fine lead to greater compliance. Six out of ten respondents also admitted that even fines imposed on other organizations have an impact on their own company.In fact, the focus of the data protection authorities could shift somewhat, which could lead to more fines being imposed. DLA Piper refers to an announcement by the Dutch Data Protection Authority. It wants to investigate whether the directors of Clearview AI could be held personally liable for numerous GDPR violations after a fine of 30.5 million euros was imposed on the company. This investigation could signal a potential shift in the focus of regulators towards personal liability and more individual accountability, the legal experts interpret the move. Personal liability a new phase in GDPR enforcementThe increasing focus on the personal liability of managers marks a new phase in GDPR enforcement, comments Verena Grentzenberg, partner in DLA Pipers IPT practice group in Germany with a focus on data protection. This sends a clear signal to companies that breaches of data protection will not remain without consequences not even at the level of the individuals involved.