I was reading this article in the Irish Times and decided to write this post about the application of fines in privacy and data protection.

Every day we hear news that company X has been fined and the figures presented are usually quite significant.

But are these amounts actually paid?

According to the article, the Irish Data Protection Commission managed to collect only 0.6% (€19.9 million) of the €3.26 billion in fines applied between 2020 and 2024.

These are worrying numbers for a regulation that has been in place since 2018 in a territory known for its strict enforcement.

In 2023, the largest fine was applied to Meta (€1.2 billion), but only €815,000 was actually received. Of course, there are procedural steps, it is not an automatic payment and each fine carries a series of sanctions, some go ahead, others are defended, especially because fines only become payable after confirmation by the Circuit Court.

None of the fines have been considered uncollectible by the DPC so far (at least that), but most of them are parked due to ongoing appeals by companies - and that's okay, until the “final judgment” nothing needs to be paid.

I decided to bring up this point because Ireland is a country considered the “hub of bigtechs”, with several giant companies in the sector maintaining their businesses there (e.g. Meta, Google, Apple, Microsoft, Twitter and LinkedIn) due to tax benefits, and even there there is a difficulty in receiving the fines applied, what can we expect from other emerging countries with privacy laws still in their infancy?

If Europe already faces so many difficulties in enforcing the GDPR in practice, imagine the challenge it will be to apply the AI ​​Act given the billion-dollar fines that make the news but never come to fruition, companies that use legal resources to postpone payments indefinitely, and a disparity between theoretical regulatory power and actual enforcement capacity. Without a profound reform in the enforcement and collection mechanisms, we run the risk of seeing the world's first major AI regulation follow the same path - much bark and little bite.

Perhaps the focus should be less on astronomical fines and more on creating penalties that are actually applicable and that generate effective changes in the behavior of companies, but... who am I in the bread line?

What do you think?

Leave a comment