On 19 June, Ireland's Data Protection Commission released its Annual Report for 2024. The report focuses on data protection issues and the DPC's evolving role under the EU Artificial Intelligence act and other digital laws. The DPC is the lead supervisory authority for many of the world's major technology platforms, and this report provides a lens into the evolving nature of EU General Data Protection Regulation enforcement against some of the largest companies on the planet.
This year's report reveals significant developments across investigations, litigation, inter-regulatory cooperation and cross border enforcement. The report gives us high-level information on the DPC's decisions, inquiries and litigation matters, and includes summaries of each.
A separate report setting out case studies has also been released, which covers topics that frequently arose in 2024, including access, deletion and rectification requests. It also includes details of the prosecution of a gym, clinic, fast-food company and Google for unsolicited marketing SMS messages and provides case studies of data breaches. The case studies on data processing are particularly useful and outline the importance of carrying out a legitimate interest assessment when relying on legitimate interest, and other fundamental data processing issues.
Investigations and inquiries
The DPC concluded 2,357 formal complaints and resolved 8,418 cases through amicable means in 2024.
The DPC concluded four large-scale cross-border inquiries, resulting in administrative fines totaling more than 652 million euros, demonstrating the commission's capability to undertake highly complex multinational investigations.
Among the standout cases include the 310 million euro fine handed down to LinkedIn for violations of GDPR Articles 5(1)(a), 6(1), 13(1)(c) and 14(1)(c), with an accompanying order to bring its processing into compliance.
Meta Platforms Ireland faced three separate decisions: a 91 million euro fine relating to data breach reporting failures per Article 33, an 11 million euro fine for other breach reporting failures, and a substantial 240 million euro fine for infringing Article 25 GDPR concerning privacy by design and default.
The DPC also commenced three significant new inquiries: Google and the training of AI models using personal data, the Irish Health Service regarding the security of sensitive health data and Ryanair on its use of biometric data.
At year-end, the DPC had 89 active statutory inquiries, including 53 cross-border inquiries.
The report found 34% of complaints received by the DPC are related to data access requests — by far the largest number of complaints. One note for data controllers is the DPC says that, while redactions or restrictions are for the most part appropriately applied, many complaints stem from insufficient explanations by the data controller as to the reasons why they are being applied. The DPC warns it is not sufficient for an organization to merely itemize the exemptions, restrictions or relevant articles of the legislation. The reason the exemption is being applied should be clearly explained to the individual and documented, such as in a table.
Enforcement
The DPC has long been an advocate for engagement with data controllers and processors and the positive use of data protection by design principles to achieve positive ex ante outcomes for data subjects. Its enforcement strategy goes beyond blunt financial penalties, although it clearly uses fines as a compliance tool when warranted in ex post scenarios. In 2024, the DPC continued this trend and issued eight enforcement notices, the majority of these addressing nonresponsiveness to data subject access requests. They also undertook enforcement under Ireland's 2011 ePrivacy Regulations, with 146 investigations concluded and eight companies prosecuted.
While big fines attract headlines, under Irish law, judicial confirmation is required before they can be enforced. In 2024, the DPC collected 582,500 euros in fines. This seems to be a drop in the ocean compared to the eye-watering figures for the monetary value of the 652 million euro fines levied and is an indication the majority of big fines are appealed and may take years to recover.
Another tool in the DPC's enforcement arsenal is to make an order setting out corrective measures that must be undertaken. The DPC will then monitor to ensure the measures are implemented. This was evident in the TikTok and Instagram decisions, where default privacy settings for children were enforced despite pending appeals.
The DPC's Direct Intervention Unit handles cases that are particularly sensitive and where immediate intervention is necessary to safeguard the data protection rights of a large number of people. The report outlines some of its activities in 2024, including investigations into the processing of health data by organizations for purposes other than that for which it was originally processed, the processing of health data by nursing homes and lack of appropriate safeguards for vulnerable residents. The DPC also investigated organizations that requested excessive data for the provision of services to adults in vulnerable situations.
The litigation section of the report includes an outline of the DPC's power to seek injunctive relief under the Data Protection Act. It was used for the first time in 2024 to prohibit the processing by social media platform X of personal data contained in the public posts of its EU/EEA users for the purpose of training its AI tool, Grok. This arose in the context of engagement with X during the development of the tool, when X shared a DPIA and legitimate interest assessment with the DPC.
In July 2024, the DPC became aware that mitigations that had been identified had not been completed prior to the processing of X user data for training Grok. The DPC asked X to cease processing, but it refused to do so. Given the real risk to the rights freedoms of data subjects, the DPC formed the view that there was an urgent need to act immediately and made an emergency injunctive application to the court. Ultimately, X undertook to cease processing any EU/EEA X user data in scope and deleted the data set.
Breaches
In 2024, the DPC received 7,781 valid data breach notifications. This is an 11% increase on the data breach numbers in 2023. Approximately 50% of these notifications stem from correspondence being sent to the wrong recipient. Of the breach notifications received in 2024, 81% were concluded by year-end.
Inter-regulatory cooperation
The DPC has strategically enhanced its inter-regulatory function, in recognition of the convergence of data protection with broader digital regulation. In 2024, a deputy commissioner was appointed to lead on inter-agency collaboration, in light of the implementation of the EU Digital Services Act, the EU AI Act and the Political Advertising Regulation.
The DPC remains a cornerstone of the GDPR's one-stop shop mechanism. In 2024, it concluded 145 cross-border complaints and submitted 115 notifications through the Article 60 GDPR mechanism.
Since GDPR took effect in May 2018, the DPC has received 1,853 cross-border complaints, acting as lead supervisory authority for 87% or 1,612 of them. Notably, 63% of such complaints were first submitted to another supervisory authority before being transferred to the DPC under the one-stop shop mechanism — highlighting Ireland's centrality in EU data protection regime due to the establishment of many global tech firms here.
The DPC continued its engagement and cooperation with other European Data Protection Board supervisory authorities in 2024. It handled 1,175 requests for mutual assistance, indicating deepening collaboration across Europe’s data protection ecosystem. In recognition of the importance of this activity, the DPC created a head of EDPB/ International Affairs post at deputy commissioner level in October 2024 and has decided to continue with its Brussels attaché position. This illustrates the importance of the DPC's role as lead supervisory authority for many large tech companies based in Ireland and demonstrates the need to work collaboratively across all cross-border matters.
AI
As well as the Grok case mentioned above, in 2024, the DPC requested Meta to pause the training of AI using EU/EEA personal data. There was an intensive period of engagement with Meta during 2024 which was still ongoing at the end of the year.
The issue of training AI models on personal data is an issue that is common across all EU jurisdictions. In the absence of an established consensus, the DPC referred a set of questions to the EDPB, under the statutory scheme set out under GDPR Article 64(2) in September 2024.
The request and contributions to the development of the opinion involved a cross-functional effort within the DPC and all supervisory authorities. The entire process, including a public consultation with industry and stakeholders was project managed by the EDPB secretariat. A formal opinion was adopted by the EDPB in late December 2024.
Other activities
Ireland's Data Protection Act requires government departments to consult the DPC on legislative or regulatory measures that will involve data processing. This is of particular importance when legislation is creating a new legal basis for the processing of personal data by public bodies or agencies. The DPC provided input on 56 legislative proposals in 2024. It has also engaged with stakeholders on issues such as body worn cameras, drone technology, facial recognition technology and CCTV, processing of children’s data by sports organizations and webinars for the nonprofit sector.
It was also involved in consultations in the education, retail, and health sectors and conducted a compliance sweep of the supermarket and convenience store sectors. It launched guidance including a data protection toolkit for schools and updated CCTV guidance to address surveillance in sensitive environments.
The report outlines the DPC's activities in support data protection officers throughout the year, including engagement with DPO networks in the health research sector, public sector and pharmaceutical and medical device sector and notes that its team participated in various conferences.
Funding
The DPC's 2024 budget was 28.126 million euros. This is an increase of 2.047 million euros on the 2023 budget. It onboarded 70 new staff members in 2024 bringing total staff numbers to 251 at the end of the year and it prepared to move into its new offices on Pembroke Street, Dublin.
A more assertive, collaborative and strategic regulator
The 2024 DPC Annual Report demonstrates a mature regulator using engagement and support to improve outcomes for data subjects, while also using its enforcement powers as necessary. Its investigations yielded headline fines, but perhaps its strategic inter-regulatory engagement and collaboration signals future direction.
With staffing increasing to 251 in 2024 and further expansion envisaged, ongoing governmental support is essential to maintain Ireland's role as Europe's leading data protection regulator.
Kate Colleary, CIPP/E, CIPM, FIP, is IAPP country leader, Ireland, and director of Pembroke Privacy.
