EDPB 2024 Annual Report: Recent Trends

The European Data Protection Board (the “EDPB”) recently published its 2024 Annual Report. It outlines EDPB activities, strategic priorities, guidance, involvement in digital legislation and enforcement cooperation.

It is evident from the Report that 2024 marked a period of (1) intensified cross-border cooperation; (2) jurisdictional variation in enforcement activity; (3) addressing technological challenges; and (4) cross regulatory coordination.

Some key figures relating to EDPB activity outlined in the Report are as follows:

  • 28 Consistency Opinions (including 8 Article 64(2) GDPR Opinions);
  • 4 Guidance documents;
  • 6 Statements on Legislative Developments;
  • 2 stakeholder events
  • 1 Coordinated Enforcement Framework;
  • 350 cross-border cases; and
  • 982 procedures initiated under the one-stop-shop mechanism.

Intensified Cross-border Co-operation

The EDPB did not issue any binding decisions under Articles 65 or 66 GDPR in 2024, marking the first year since 2020 without such decisions. These powers are used to resolve disagreements between data protection authorities (“DPAs”) in cross-border cases under the one-stop-shop mechanism and to allow urgent action when needed.  The absence of referrals for binding decisions may indicate progress in DPAs becoming increasingly harmonised in their approaches and able to resolve areas of disagreement without having to resort to the formal procedures provided for in the GDPR.  Notably, of the nine EDPB binding decisions issued under Article 65 GDPR in previous years, eight related to referrals involving the Irish DPA, the Data Protection Commission. More recently, the DPC has issued a number of high profile decisions which did not require the intervention of the EDPB under Article 65.

The Report also notes a sharp increase in the number of requests for Article 64(2) GDPR consistency opinions, which address questions of general application or those with significant cross-border implications, contributing to harmonised enforcement and legal clarity.  Of the EDPB Opinions issued in 2024, some of the more noteworthy examples are Opinion 22/2024 (Reliance on Processors and Sub-Processors), Opinion 28/2024 (Processing of personal data in the context of AI models) and Opinion 08/2024 (“Consent or Pay”).  

Jurisdictional Variation in Enforcement Activity

The Report includes a table setting out the total number of value of fines issued by DPAs in the EU Member States (some of which are subject to appeal and therefore subject to variation if they are overturned). While fines only tell part of the enforcement story (bearing in mind that orders to bring processing into compliance or to suspend international data flows can have a bigger impact even than very large fines), they can be useful to consider.

Disparity in Average Fines: There is a striking but unsurprising variation in the average fine amounts imposed by different DPAs. For example, Ireland (€93,147,071) and the Netherlands (€20,501,875) had exceptionally high average fines, largely due to a small number of very large penalties, often against major multinational technology companies. In contrast, countries such as Latvia (€439), Slovakia (€2,242) and Luxembourg (€2,300) have much lower average fines.

Low Volume, High Impact Enforcement: The total fines and average fines in some countries are heavily influenced by a small number of very large cases. For instance, Ireland and the Netherlands both had total fines in the hundreds of millions of euro, but with only 7 and 16 fines respectively, suggesting that a handful of high-profile cases dominate their enforcement statistics. This is certainly the case in Ireland where 2 fines comprise just under half of the €1.2 billion in GDPR fines issued in the entirety of the EU in 2024.

High Volume, Lower Impact Enforcement: Countries such as Germany (416 fines, average €33,178), Spain (281 fines, average €126,663), Italy (140 fines, average €1,038,089) and France (87 fines, average €634,625) have issued higher numbers of fines, but their average fine values are much lower. This is reflective of a variety of factors, including the scale of the countries, the regulators and the nature of the organisations they regulate.  

Comparing the 2024 enforcement figures against the 2023 enforcement figures contained in the EDPB’s 2023 Annual Report, the overall trend is a reduction in both the number and total value of fines. This is the first year of a reduction, after a seven-year trend in increasing enforcement. A few very large fines continue to dominate the statistics.

Addressing Technological Challenges

The Report highlights the EDPB’s focus on emerging technological challenges, particularly AI and "consent or pay" models.  Both topics generated significant attention, with the EDPB issuing Opinions (28/2024 and 8/2024) and hosting stakeholder events to address these issues.  The EDPB also issued Statement 3/2024 on data protection authorities’ role in the Artificial Intelligence Act framework and undertook work through its ChatGPT task force.

DPA decisions in 2024 also addressed the validity of "consent or pay" models and the expanding uses of AI.  However, compliance with fundamental GDPR principles is still key, with unlawful processing, lack of legal basis, inadequate technical and organisational measures and failure to uphold data subject rights continuing to be areas of enforcement.

Cross-regulatory Coordination

Alongside developments in the longstanding areas of data minimisation and lawfulness of processing, the Report evidences the EDPB’s expanding role in monitoring the interplay between the GDPR and newer EU legislative instruments, such as the Digital Markets Act, the Digital Services Act and the AI Act.

It also merits noting the EDPB’s emphasis on aligning data protection requirements with other digital regulatory frameworks. The Report underscores the EDPB’s cooperation, for instance, with the new European AI Office, as well as its engagement with competition and consumer authorities. For many organisations, this signals that data protection obligations cannot be viewed in isolation. Ultimately, those who adopt a joined-up approach, anticipating the demands of digital services legislation, AI regulation and long-established GDPR principles, will be better positioned to adjust swiftly to emerging data governance requirements (albeit this is easier said than done).

For more information, please contact one of the key contacts listed below or your usual contacts at McCann FitzGerald LLP.

Also contributed to by Isobel Murphy.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key Contacts