Irish DPC Report Shows Continued AI Scrutiny, Record Fines, & Public Concern Over Data Use

Key Takeaways

• €652M in Fines: Major penalties were imposed on LinkedIn and Meta, alongside enforcement actions involving Sligo County Council and Maynooth University.
• AI Takes Center Stage: The DPC launched new inquiries into AI model training and led a coordinated EU effort resulting in a formal EDPB opinion on AI data use.
• Children’s Data Enforcement: Follow-up actions led to platforms like Instagram and TikTok making children’s accounts private by default.
• Public Trust and Concern: 76% of people surveyed were concerned about digital profiling, while 70% said they trust the DPC to uphold their data rights.
• Workload and Resources Growing: The DPC closed over 10,500 cases in 2024 and increased its staff from 210 to 251, with further resourcing needs flagged.

Deep Dive

Ireland’s Data Protection Commission (DPC) published its 2024 Annual Report this week, offering a wide-ranging account of enforcement activity, regulatory developments, and public sentiment around data protection in a year marked by growing scrutiny of artificial intelligence and increasing cross-border responsibilities.

The report confirms that the Commission imposed a total of €652 million in administrative fines in 2024, with major penalties issued to LinkedIn and Meta Platforms Ireland, alongside smaller enforcement actions involving Sligo County Council and Maynooth University.

Several of the DPC’s most visible activities centered around the use of personal data in artificial intelligence. The regulator launched new inquiries into the training of AI models by Google and Meta, issued enforcement measures requiring Meta to pause plans to train LLMs on public Facebook and Instagram content, and initiated legal proceedings that led to X suspending its AI tool “Grok” from processing personal data.

Inquiries were also launched into the Health Service Executive (HSE) over sensitive health data and into Ryanair’s use of biometric information.

Meanwhile, the DPC monitored follow-up compliance with corrective measures ordered in previous inquiries involving TikTok and Instagram, both related to children’s data. The DPC states that enforcement led to children’s personal data being set as private by default, though the underlying decisions remain under appeal.

Enforcement Activity and Caseload

In total, the Commission finalized 11 inquiry decisions in 2024 and issued four preliminary draft decisions and seven Article 60 draft decisions for EU co-review. None of the latter were objected to by peer supervisory authorities. The Commission reports 89 statutory inquiries on hand at year-end, 51 of which are cross-border in nature.

The regulator received over 11,000 new cases, concluded 10,510, and resolved 2,357 formal complaints, including a backlog from prior years. Data breach notifications totaled 7,781, marking an 11% increase from 2023. Of these, roughly half involved correspondence sent to the wrong recipient, a consistent trend in recent years.

One of the year’s most significant developments was the DPC’s request for a statutory opinion from the European Data Protection Board (EDPB) on the use of personal data in AI model training. After a 14-week review involving multiple regulators, the EDPB adopted a formal opinion in December 2024. The move marks an effort to harmonize enforcement and guidance across the EU at a time when AI development is accelerating and regulatory clarity remains limited.

The DPC also participated in over 180 EDPB meetings and handled 1,175 mutual assistance requests from other data protection authorities. The agency was designated by Ireland as a fundamental rights body under the EU AI Act, and is expected to play a role in market surveillance under the legislation.

Public Attitudes Reflect Caution Around AI and Digital Profiling

To coincide with the report, the DPC released findings from its first Public Attitudes Survey, conducted in May 2025. The results reflect growing public concern over how personal data is used, particularly in the context of emerging technologies.

• 74% of respondents said it’s important for organizations to comply with data protection rules, even if it slows technological development.
• 76% were concerned about personal data being used to build digital profiles that could be sold or shared.
• 61% expressed concern about AI in general.
• Older individuals were significantly more concerned than those aged 18–34.

70% of those surveyed said they trust the DPC to uphold their data rights. Among those who had interacted with the regulator, 50% had a more positive view afterward, while 3% reported a more negative impression.

The Commission’s staff increased from 210 to 251 in 2024, but the report notes ongoing resource challenges, particularly in light of expanded responsibilities under new EU digital legislation. The DPC provided input on 56 pieces of draft legislation and continued to develop sector-specific guidance, including a schools toolkit and materials for adult safeguarding professionals.

The DPC also prosecuted eight companies for sending unsolicited marketing messages, with the court ordering charitable donations in lieu of fines. A total of 146 electronic direct marketing investigations were concluded.

As the regulatory and privacy landscapes grow more complex, particularly around AI and political advertising, the DPC continues to expand its cooperation with other national and EU bodies, though the scale of its workload, cross-border role, and new mandates under EU law suggest that resourcing and coordination will remain a key issue heading into 2025.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.