Key takeaways from Ireland's DPC annual report

On 19 June, Ireland's Data Protection Commission released its Annual Report for 2024. The report focuses on data protection issues and the DPC's evolving role under the EU Artificial Intelligence act and other digital laws. The DPC is the lead supervisory authority for many of the world's major technology platforms, and this report provides a lens into the evolving nature of EU General Data Protection Regulation enforcement against some of the largest companies on the planet.

This year's report reveals significant developments across investigations, litigation, inter-regulatory cooperation and cross border enforcement. The report gives us high-level information on the DPC's decisions, inquiries and litigation matters, and includes summaries of each.

A separate report setting out case studies has also been released, which covers topics that frequently arose in 2024, including access, deletion and rectification requests. It also includes details of the prosecution of a gym, clinic, fast-food company and Google for unsolicited marketing SMS messages and provides case studies of data breaches. The case studies on data processing are particularly useful and outline the importance of carrying out a legitimate interest assessment when relying on legitimate interest, and other fundamental data processing issues.

Investigations and inquiries

The DPC concluded 2,357 formal complaints and resolved 8,418 cases through amicable means in 2024.

The DPC concluded four large-scale cross-border inquiries, resulting in administrative fines totaling more than 652 million euros, demonstrating the commission's capability to undertake highly complex multinational investigations.