
Biggest GDPR Fines in 2024: Key Takeaways for Australian Organisations
Penalties in Europe might look relatively tame in 2024 compared to earlier years. The largest fine in 2024 under the GDPR ranks sixth overall for highest monetary amounts – and the dollar amount for the highest fine is relatively modest, at 310 million Euros, compared to the 2023 top penalty of 1.2 billion. But, it’s not all good news. Reports of personal data breaches have continued to rise. In fact, it was up 8.3% in 2024 to an average of 363 per day. Interestingly, only 3 of the Tip 10 GDPR penalties were awarded as a result of security failures.
In this post, we’ll focus on the biggest fines from 2024 and what we can learn from them. We’ll dig into the reasons for the top ten breaches, hone in on what happened in the top five, and tease out a few key takeaways for Australian organisations looking to improve privacy posture in 2025.
The Top 10 Largest GDPR Penalties in 2024
Here’s a summary of the top ten largest GDPR penalties in 2024, based on data from the GDPR Enforcement Tracker:
In case you didn’t count, that’s:
- 6 penalties for non-compliance with general data processing principles
- 3 penalties for insufficient technical and organisational measures to ensure information security.
- 1 for insufficient legal basis for data processing.
What Did The Companies Do & What Are The Takeaways?
Here’s a quick summary of the facts in the five largest GDPR fines from last year:
2024’s Biggest GDPR Fine: LinkedIn’s 310 Million Euro Fine
Ireland’s privacy watchdog initiated an investigation into LinkedIn for its processing of personal data for behavioural analysis and targeted advertising. It found that LinkedIn did not have a legal basis for processing the personal data in the manner it did and that it did not have valid consent because it was not freely given, sufficiently informed, or specific, or unambiguous. See commission’s release for more information.
In other words, LinkedIn could not rely on legitimate interest or consent to its processing of personal information.
Key Takeaway: Ensure you have a legal basis for using Personal Information
In this matter, users were not able to freely choose how their personal information was used. We don’t have full details, but the penalty highlights the importance of informing users how their data will be used, if relying on consent, and providing them with a range of genuine choices when it comes to how that data will be used.
Uber’s 290 Million Euro Penalty For Unlawful Transfers
The Dutch privacy authority penalised Uber for transferring the personal information, including sensitive personal information, of European drivers to the US without a legal basis. This happened when the Privacy Shield was invalidated and Uber did not implement an alternative transfer mechanism until the Data Privacy Framework came into force in 2023. You can read more here.
Key Takeaway: Transferring Data Abroad Comes With Privacy Risks
Australian organisations that transfer personal data abroad should guard against compliance gaps, data security vulnerabilities, and inconsistent legal frameworks.
The OAIC suggests that, generally speaking, you should have an enforceable contract with any overseas recipients of personal information collected from Australian residents, if you’re a covered entity under the Privacy Act. You can read more about this on the OAIC’s dedicated page covering sending personal information overseas.
In addition to the compliance risk you face, mishandling customer data always comes with a risk of reputational harm that’s worth bearing in mind when you send data abroad. It can be more challenging to enforce your contractual rights in other jurisdictions and your customers likely won’t accept you pointing fingers at the faceless entity abroad if their data is mishandled. We’re actually seeing this play out in real time with the recent Gravy Analytics breach, which exposed location data from Candy Crush, Tinder, Spotify and other major apps around the world.
The OAIC should be providing more guidance about the jurisdictions that it regards as having sufficiently similar laws so as to be appropriate for the disclosure of personal information by Australian entities. This is part of the recently passed Privacy Act amendments. Adhering to the list of approved jurisdictions will also help reduce the risk of unlawful overseas disclosures.
Meta’s 2024 Security Failure Penalties
Meta received the third and fourth largest GDPR penalties in 2024, we’re covering both here.
The December 2024 Penalty
This penalty related to a 2019 data breach that impacted 3 million Europeans and 29 million Facebook accounts globally. The breach exposed the following types of personal data: full name, email, phone number, geolocation data, place of work, date of birth, religion, and gender; alongside timeline posts, group membership, and children’s personal data.
This arose from third party’s unauthorised access via a security weakness in a Facebook video upload functionality. Facebook identified the vulnerability internally after around 2 weeks and fixed it at that point. You can read more about this breach here.
The penalty for this breach was broken down as follows:
- 130 million Euros for the failure to build data protection requirements into the design of the product, in contravention of Article 25(1) of the GDPR.
- 110 million Euros for the failure to only collect necessary personal data by default.
- 3 million Euros for failing to adequately document the facts relating to the breach.
- 8 million Euros for not including all relevant information “that it could and should have included”.
The September 2024 Penalty
This penalty also related to security failures from 2019, when it was found that Facebook stored user passwords in plaintext. Plaintext basically means that the password was not encrypted – so it is readable by humans without any special keys or software. This is broadly recognised as an extremely poor practice.
The Deputy Commissioner at Ireland’s DPC, Graham Doyle commented “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts”. You can learn more in the release.
Italy’s Privacy Watchdog’s Biggest Ever Penalty: Enel Energia Spel
On 8 February 2024, the Italian Data Protection Authority issued a 79 million euro fine to Enel Energia, the highest penalty Italy’s Privacy Authority has delivered to date. Investigators concluded that Enel Energia mishandled the personal data of electricity and gas customers for telemarketing.
It’s reported that lax security practices allowed unauthorized agents to place nuisance calls and poor privacy practices meant that El Energia signed contracts with around 9,300 customers as a direct result of its misuse of personal data. Another probe revealed that Enel Energia had acquired 978 contracts from companies outside of its sales network, without the customer’s consent. More here.
Key Takeaway: Don’t Spam Customers
The Australian Communications and Media Authority issued more than $13.5 million in penalties to companies in 2024 for spam-related breaches. We covered some key trends in ACMA infringement notices in 2023, and there are some takeaways from that piece that remain relevant today. Here they are:
- Consent is key. If you do not have consent or you are unsure if you have consent, it’s best to err on the side of caution and not send the email..
- You must include easy-to-access unsubscribe functionality in your marketing messages.
- It’s crucial that you have processes set up to manage unsubscribes in a timely manner. If someone unsubscribes and you don’t handle that promptly, the ACMA will definitely have concerns.
If you need help improving your privacy posture for 2025, reach out. Our team has significant experience working with Australian organisations to provide training and to implement improved privacy programs.
You can learn more about our team here and contact us for an obligation-free consultation here.