Skip to content
Workland
Home Locations Solutions Member Stories Bookings Events Blog About

GDPR fines are increasing; the focus is shifting to AI-companies

Hedman Law Firm

Hedman Law Firm

March 29th, 2023

Share

Supervisory authorities for personal data protection across Europe are gaining in confidence and capacity, which is reflected in the statistics on penalties for violations. More and more case-law on interpreting GDPR requirements has been collected from the prosecution of tech giants with cross-border services, and it is used with increasing skill. Also, the statistics strongly indicate a shift in the supervisory focus toward artificial intelligence and machine learning.

Trends in fines

In the second half of 2022, the European data protection supervisory authorities imposed a total of 280 fines totalling around €742 million. The year 2023 is unlikely to show a downward trend in fines; for example, the total amount of fines in January was €396 million. In total, data controllers had been fined €2.36 billion for GDPR breaches by the end of 2022.  

The sectoral breakdown of the total number of data protection breaches has not changed. The sectors most fined are commerce, media and telecommunications, financial services, health care, and the public sector. This is understandable, as these are inevitably the sectors where the most personal data is used.

It is also interesting to see the statistics on the total number and amount of GDPR fines imposed by countries. It is clear from these statistics which countries are holding accountable the European branches of global tech companies the most (for example, Ireland, 23 fines and €1.3 billion since 2018; Spain, 594 fines and €58 million since 2018). 

Andres Ojaver from Hedman Law firm talking about personal data breaches.
Andres Ojaver from Hedman Law firm talking about personal data breaches.

Some examples from the second half of 2022

Instagram Meta Platforms, Inc.

Meta's subsidiary Instagram was fined €405 million by the Irish data protection authority in September, making it the second largest fine so far, just below the €746 million fine received by Amazon in 2021.

The investigation was launched in 2020, and final conclusions were reached in September 2022, thanks to third-party hints. The company had allowed children aged 13-17 to use business accounts. These allow access to a minor's email address and phone number. In addition, the accounts of minors were not set to private by default but could be viewed by the public in some cases.

That is a little more than €405 million in school fees just for learning the principles of privacy by design and privacy by default.

Meta Platforms Ireland

In November, the Irish DPA fined Facebook's parent company Meta €265 million for inadequately implementing information security measures to protect user data.

The data protection authority launched an investigation following news that more than 533 million users' data had been found online. The data was found on a hackers' website and reportedly included names, Facebook IDs, phone numbers, locations, birth dates, and email addresses of people from more than 100 countries. Meta said the data had been "data scraped" from Facebook using tools designed to help people find their friends via phone numbers, using search and contact import functions.

The focus is shifting to AI

European data protection supervisors continue to try to reduce the profitability of generating irregular business models by making them expensive through fines. The statistics strongly indicate a shift in the supervisory focus toward artificial intelligence and machine learning and the usage of personal data to train AI. It should also be noted that discussions are ongoing in the European Union on a possible partial ban on facial recognition technologies. 

Does your company need a DPO? 

Hedman data protection experts can help you to decide whether your organisation specifically must appoint a data protection officer or, in the absence of such an obligation, whether it would be beneficial to do so due to the profile of your company and the area in which it operates.

If an organisation needs to appoint or voluntarily wishes to appoint a data protection officer to mitigate risks, but the workload is relatively small, outsourcing a DPO should be considered. 

Other Blog Posts

Need a desk for the day? Book instantly at Workland!

Whether you’re a remote worker, freelancer, business traveler, or a local professional, finding the right workspace can make all the difference in your productivity. At Workland, we understand that not everyone needs a long-term office solution – that’s why we offer our Day Pass, designed for maximum flexibility and convenience. And now, booking your Day Pass is easier than ever! You can reserve and pay for your desk online in just a few clicks. No commitments, no contracts – just a professional workspace when you need it.

Workland

January 30th, 2025

How to Make Your Pitch Stand Out? Key Takeaways from Gleb Maltsev's Workshop

Crafting a compelling pitch is an essential skill in today’s business world, yet many professionals struggle to communicate effectively. The challenge lies in balancing technical details with a message that resonates emotionally and logically with the audience. How can you create a pitch that not only sells but also inspires action and drives meaningful outcomes?

Workland

November 25th, 2024

Workland to launch a EUR 1.5 million bond issue

Workland, a full-service office and coworking space operator, is launching a bond offering this week. It is Workland Group’s first bond issue, the company plans to borrow EUR 2.5 million in several tranches. The first tranche of EUR 1.5 million will be with a term of two years and with an annual interest rate of 10.5%. Further tranches are planned for the year 2025 according to the capital needs.

Workland

December 4th, 2024