LinkedIn Fined €310 Million by Irish DPC
Ireland's Data Protection Commission fined LinkedIn €310 million for unlawfully processing personal data for targeted advertising. The decision found that LinkedIn relied on invalid legal bases — including legitimate interests and consent — for behavioural analysis across its European user base. LinkedIn was ordered to bring its processing into compliance.
DPC decisionX (Twitter) Fined €550 Million by Irish DPC
Ireland's DPC concluded its investigation into X Corp (formerly Twitter), issuing a fine of €550 million for unlawful processing of personal data for advertising purposes through the MoPub ad network. The investigation examined whether X processed special categories of personal data — including inferred political opinions and sexual orientation — for advertising without a valid legal basis.
DPC press releasesEU AI Act Enters Into Force
The EU Artificial Intelligence Act entered into force on 1 August 2024, creating the world's first comprehensive AI regulatory framework. It introduces obligations that interact directly with GDPR, particularly for AI systems processing personal data. Providers of high-risk AI systems must comply with data governance, transparency, and human oversight requirements. Full application begins August 2026.
Official text of the AI ActMeta Fined €1.2 Billion — Record GDPR Penalty
The Irish DPC issued a €1.2 billion fine against Meta Platforms Ireland for transferring personal data to the United States without adequate safeguards following the Schrems II ruling. Meta was ordered to suspend future data transfers and bring existing transfers into compliance within five months. Meta appealed the decision but the fine stands as the largest in GDPR history.
DPC announcementEU–US Data Privacy Framework Adopted
The European Commission adopted the EU–US Data Privacy Framework adequacy decision, providing a legal basis for transatlantic personal data flows to certified US companies. The framework succeeded the invalidated Privacy Shield and introduced a new Data Protection Review Court as a redress mechanism for EU individuals. Privacy advocacy group NOYB has already signalled plans to challenge it.
Commission adequacy decisionEDPB Establishes ChatGPT Task Force
Following Italy's Garante temporarily banning ChatGPT over GDPR concerns in March 2023, the European Data Protection Board established a dedicated task force to coordinate enforcement and develop a consistent EU-wide approach to large language models. The task force examined legal bases for training data, data subject rights, and accuracy obligations under GDPR.
EDPB task force newsMeta (Instagram) Fined €405M for Children's Data
Ireland's DPC fined Meta €405 million for Instagram's failure to protect children's data — including defaulting minor accounts (aged 13–17) to public visibility and displaying phone numbers and email addresses publicly. The decision was one of the first major enforcement actions focused specifically on children's data protection, reinforcing GDPR Article 8 obligations.
DPC press releaseMeta (Facebook) Fined €265M for Data Scraping
The Irish DPC fined Meta €265 million after a massive dataset of 533 million Facebook user records — scraped via the contact import feature — appeared on hacking forums in 2021. The investigation focused on Facebook's failure to implement adequate technical and organisational measures to prevent the large-scale scraping of personal data.
DPC press releaseNew Standard Contractual Clauses Published
The European Commission published modernised Standard Contractual Clauses for international data transfers, replacing the outdated 2001/2004 versions. The new SCCs feature a modular structure covering controller-to-controller, controller-to-processor, and processor-to-processor transfers, and for the first time incorporate requirements for Transfer Impact Assessments to assess third country laws.
Commission SCCs page