The Irish data protection authority, responsible for implementing the General Data Protection Regulation (GDPR) issued privacy fines totalling €1.55 billion in 2023, a record since the GDPR came into force in 2018, it said in its activity report published yesterday (29 May).
Chinese-owned social network TikTok was fined €345m in September 2023 for mishandling the personal data of users aged under 18. The investigation found problems with default public settings, parental controls, and age verification. In 2021, the Dutch Data Protection Authority and the British Information Commissioner’s Office both fined TikTok - respectively €750.000 and £12.7 million \- for violating privacy of minors.
More significantly, Meta, the parent company of Facebook, Instagram and WhatsApp, was fined first in January 2023 for €390m for illegally processing users' data and then again in May, €1.2bn by the Data Protection Commission for improperly transferring user data from Europe to the US. The latter is the biggest GDPR fine ever inflicted, far above the 2021 €746m sanction imposed by the Luxembourg National Commission for Data Protection on Amazon.
Both Meta and TikTok appealed to the decisions.
Further penalties were imposed on the Bank of Ireland, Centric Health, the Department of Health, and the Kildare County Council ranging between €22,500 and €750,000.
Complaints
In 2023, the authority received 11,200 new complaints, an increase compared to the previous year (9,370), while it resolved 11,147 cases, an astronomical figure compared to 3,133 case resolutions in 2022.
Most of these resolutions are amicable (3,218 cases in 2023), but in the most complex situations, administrative sanctions or fines can be imposed on organisations that do not comply with GDPR provisions. This was the case in 19 instances.
Tech companies Airbnb, Apple, and Microsoft, as well as the Archbishop of Dublin and the Galway County Council, received reprimands and were invited to change their practices regarding data access and retention.
Currently, new GDPR enforcement rules are being negotiated by EU ministers to address issues related to cross-border cases. Ireland is particularly affected as 87% of cross-border cases are handled by the Irish Data Protection Commission.
