Introduction
On 19 June 2025, the Data Protection Commission (“DPC”) published its annual report for 2024 (“the Report”). This article considers some of the highlights and other noteworthy points arising from the Report.
AI Oversight
The Report highlights the central role of the DPC in monitoring Artificial Intelligence (“AI”) in Ireland. While acknowledging the “potentially immense benefits to society arising from AI technologies”, the Report highlighted the importance of ensuring that “new technological developments are introduced in a way that protects individuals, especially children and the vulnerable, from harm”. Some noteworthy AI-related interventions on the part of the DPC included:
- Seeking Orders in the High Court preventing X (formerly Twitter) from processing personal data for the purpose of its training AI tool “Grok”, following which X agreed to suspend this processing activity. This was the first occasion in which the DPC exercised its power – as provided for under section 134 of the Data Protection Act 2018 (“the 2018 Act”) – to apply to the High Court for an order suspending or restricting the processing of personal data
- Requesting, for the first time, an opinion from the European Data Protection Board (“the EDPB”). This opinion was sought in relation to the use of personal data for AI model development and deployment. The EDPB’s opinion was published in December 2024.
- Engaging with Meta, following which it agreed to pause its plans for the usage of personal data –shared by adults on Facebook and Instagram – for AI training of large language models (“LLMs”). The DPC is the EU Lead Supervisory Authority (“LSA”) for companies which have their establishment in Ireland. In this regard, the DPC engaged intensively throughout 2024 with a range of large technology, social media and internet platform companies who are developing LLMs.
Overview of the Work of the DPC throughout 2024
- New Cases: 11,091 “new cases” (i.e. contacts made with the DPC that require further engagement beyond the initial query) were submitted to the DPC in 2024. Of these 11,091 new cases, 10,510 cases (94.8%) were concluded by year end.
- Data Subject Access Request (“DSARs”): DSARs accounted for a significant proportion – approximately 1 in 3 – of the complaints received by the DPC in 2024. The Case Studies Booklet (“the Booklet”) accompanying the Report highlights several case studies related to DSARs, in which the DPC offered some clarifications in relation to the scope of “personal data”, and data controllers’ obligations under GDPR and the 2018 Act. Some of the highlights are set out below:
- As the definition of “personal data” under GDPR covers “any information relating to an identified or identifiable natural person”, organisations acting as data controllers are not under an obligation to provide personal data relating to deceased individuals. In another case, the DPC concluded that the DSAR – in which an individual made a DSAR to a garage seeking all data related to a vehicle which the individual had purchased from the garage – did not fall within its remit. It noted that, while a vehicle’s registration plate could be considered personal data, the condition of the vehicle itself prior to a person’s ownership did not relate to the individual as a natural person.
- Organisations must ensure that they are able to demonstrate to the DPC – in the event that a complaint is made against the organisation – that adequate searches have taken place to locate any records containing personal data of an individual who has made a DSAR. In one case, the organisation in question had indicated to the requesting individual that it did not hold any documentation containing any of their personal data. Following a request by the DPC for documentary evidence of the efforts made to locate the individual’s personal data, it transpired that the organisation held three records containing the individual’s personal data which had not been provided to the individual. Following further engagement between the DPC and the organisation, the three outstanding documents containing the individual’s personal data were handed over.
- Other cases in the Booklet highlighted the importance of organisations being able to demonstrate that, when requested to do so by the DPC, it can provide the necessary, relevant information demonstrating that the stated lawful bases for the processing are appropriate to the circumstances of the processing in question. This point was highlighted in one case in which an organisation transferred an employee’s personal data to a third-party contractor (a HR consultancy firm) for the purposes of investigating a bullying claim made by the individual.
- Data Breaches: throughout 2024, 7,781 valid data breach notifications were logged (an increase of 11% from 2023). The figures also highlight the efficiency of the DPC in handling complaints, with 81% of complaints closing by year-end. Half of these complaints were made on foot of misdirected communications and correspondence to the incorrect recipient, demonstrating that human error remains a key cause of data breaches in Ireland. Some of the cases identified in the Booklet emphasise the importance of increased staff training and awareness for organisations seeking to prevent data breaches.
- Direct marketing: the Report also highlights the active role played by the DPC in investigating and prosecuting offences related to electronic direct marketing (i.e. the use of electronic means to send marketing or promotional messages directly to individuals). In 2024, the DPC received 198 new direct-marketing-related complaints, with 70% of these related to unsolicited email communications and 24% related to unsolicited text messages. The DPC concluded 146 electronic direct marketing investigations in 2024, successfully prosecuting 8 organisations related to the sending of unsolicited marketing communications without complying with the relevant opt-in / opt-out requirements under the ePrivacy Regulations 2011 (“the 2011 Regulations”). The Booklet referred to above also discusses a number of case studies related to direct marketing which will be of interest to organisations across a number of sectors.In one case the DPC clarified that communications sent solely for informational or feedback purposes do not constitute direct marketing and thus do not require an unsubscribe option.
- Supervisory Engagement: it is clear from the Report that the DPC is placing increased reliance on proactively engaging with the organisations that it regulates. This focus on engagement is borne out by some of the figures set out in the Report. In 2024, the DPC had 757 supervision engagements and a significant proportion of these were with multi-national technology companies. In addition, across all sectors the DPC engaged in 291 supervision meetings with organisations in 2024. The above suggests a potential shift in the regulatory approach of the DPC under the new Commissioners Dr Des Hogan and Dale Sunderland, both of whom took office in February 2024.
- Fines: in 2024, the DPC imposed administrative fines of over €652 million, which is a significant decrease from last year’s record breaking €1.55 billion figure. The Report (at page 35) lists some of the Decisions and Inquiries undertaken by the DPC throughout the year. It is noteworthy that, for a number of these decisions, the DPC decided not to impose administrative fines but instead applied corrective measures including reprimands and orders directing the particular organisation to bring their processing into compliance. This suggests that fines are a last resort that are intended to be dissuasive, with the DPC more concerned with the overall outcome of bringing about compliance.
Conclusion
- The Report highlights the large volume of work undertaken by the DPC throughout 2024, which shows no signs of letting up, particularly due to the DPC’s part in regulating AI, coupled with its role as the LSA for certain multinational technology companies established in Ireland. The DPC’s approach of proactive engagement with organisations to drive compliance is certainly a positive development. However, as the X case outlined above demonstrates, the DPC remain willing to use its enforcement powers under the 2018 Act, where necessary.