Analysis of Fines Imposed by the Information Commissioner’s Office in 2024

In 2024, there were a total of 62 instances of enforcement action (fines, reprimands and enforcement notices) taken against 47 organisations (including 8 police forces or other law enforcement agencies).  32 of these 62 actions were in relation to breaches of the UK GDPR.  These were brought against 31 organisations (27 in the public sector as against only 4 in the private).  In the majority of cases, only organisations that committed non-UK GDPR breaches received more than one action of enforcement against them for a single contravention (typically a fine and an enforcement notice).  A reprimand is a formal warning issued by the ICO indicating non-compliance with data protection laws - essentially a ‘slap on the wrist’ for more minor breaches, while an enforcement notice is a more serious action requiring an organisation to take specific steps to rectify a significant data protection violation, often accompanied by a potential fine if not addressed.

In 2024, the ICO imposed a total of 18 monetary penalties, nearly identical to the number (17) it handed down in 2023.

In 2022, the ICO announced its ‘public sector approach’, an initiative (which was reviewed in the summer of 2024) to only impose financial penalties on public sector bodies in extreme cases, and instead issue reprimands and (as 2024 has shown)  enforcement notices when delivering enforcement action for less serious infringements.  However, in 2024, 3 public organisations were (quite heavily) fined.  A £750,000 penalty was issued to the Police Service of Northern Ireland (PSNI) for a security breach it committed the previous year, which was described by the independent review set up shortly afterwards as ‘the most significant data breach… in the history of UK policing’.  In addition, a £350,000 (reduced from the originally intended figure of £1m) penalty was imposed on the Ministry of Defence (MOD); and a £7,500 fine for the Central YMCA.  The reason for the ICO diverging from its normal approach of avoiding fining public entities was probably the egregious nature of the breaches in each case: the YMCA infringement involved highly sensitive health data, and the MOD and PSNI breaches posed a genuine threat to people’s lives.

Let’s consider the reasons for fines being imposed by the ICO in 2024.  The following graphic summarises what breaches occurred for fines to be imposed.

This shows that, as in 2023, the majority of the ICO’s fines were directed not at infringements of the UK GDPR, but at breaches of the Privacy and Electronic Communications Regulations (PECR).  However, the proportion of fines attributable to breaches of the UK GDPR rose in 2024 to one sixth of the total, whereas in 2023 it comprised a mere one seventeenth.  The 3 UK GDPR fines were the ones (unusually) imposed on public authorities referred to above, and so could be considered outliers.  We will have to wait and see whether the ratio of UK GDPR fines to PECR monetary penalties slips back during 2025 to the low level seen in 2023.

As a result of the monetary penalties against the 3 public bodies, the proportion of UK GDPR breaches fined, as a percentage of the total number of penalised contraventions of all kinds (i.e., including PECR infringements), grew to 16.7% (one in six) from under 6% in 2023.  Of the 32 UK GDPR cases in total in which the ICO took enforcement action in 2024 (up slightly from 30 in 2023), as noted above, only 3 resulted in a fine being imposed – the rest were all punished by issuing reprimands (18) or enforcement notices (11).  Of these 18 reprimands (down from 29 in 2023), however, not all were issued to public sector bodies (16).  So, despite the Information Commissioner’s rationale for not fining authorities (that such penalties have limited deterrent effect as it is ultimately the taxpayer who pays them), 2 recipients of reprimands were in fact private companies, although this is much reduced from the 2023 figure of 9.  Of the 11 UK GDPR-related enforcement notices, all but 2 went to public bodies, which is an interesting development, since no such enforcement notices at all were issued to public sector entities in 2023; and those private sector organisations that received enforcement notices in 2023 did so in relation to PECR breaches only.  This widespread use of enforcement notices in relation to non-PECR breaches is new, and URM will be following this trend to see if it develops in 2025.

As we predicted in last year’s GDPR review, the latest of the that year’s reprimands, dated 10 March 2023, was indeed the last ICO enforcement action that related solely to processing under the old pre-Brexit GDPR: every GDPR enforcement in 2024 was brought under the post-Brexit ‘UK GDPR’ introduced by the Data Protection Act 2018 (DPA 2018).  Currently, the UK GDPR is, in practical terms, identical to the original GDPR (now known in the UK as the ‘EU GDPR’).  However, this is set to change with the passing of the Data (Use and Access) Act, which is predicted to occur in the summer of 2025.

Although it was not included in the 2024 fining statistics—since it concerns a penalty issued in early 2020 for a breach that occurred between July 2017 and April 2018—it is noteworthy in the context of ‘legacy legislation’ that, surprisingly, one case is still being litigated in the courts under the Data Protection Act 1998 (pre-DPA 2018, pre-UK GDPR, and pre-EU GDPR)!  It is the DSG Retail case in which the ICO, in November 2024, asked for permission to appeal a decision of the Upper Tribunal to the Court of Appeal on a fundamental point dealing with the Tribunal’s interpretation of the term ‘personal data’, specifically the scope of when an individual is reasonably ‘indirectly’ identifiable from only partial, fragmentary data.

The average fine in the UK in 2024 was £153,722, less than a fifth of what it was in 2023 (£816,471). However, this 2023 figure was anomalous, having been heavily skewed by the £12.7m penalty dealt out in that year to the global video-sharing platform TikTok (the third biggest fine ever issued by the ICO). 

The 18 fines imposed by the ICO in 2024 ranged from £7,500 to £0.75 million pounds.  There was a less even division than in 2023 between those for under £100K and those over (7 and 11 respectively, compared to 9 and 8 in 2023).  As such, the regulator is fining not more prolifically but proportionately more heavily.  In total, these 18 fines brought in over £2.7m to the Treasury (down from the over £13m in 2023, which sum was again affected by the significant fine imposed on TikTok).  However, this has to be considered in context; in 2024, the relatively small Irish Data Protection Commission issued €600 million (about £522m) in fines, representing half of the €1.2 billion in data protection fines imposed across the whole of the Europe last year.  Comparing this figure to the ICO’s £2.7m total demonstrates the stark difference in approach to this question between the ICO and its European counterparts.  The Irish regulator is the standout finer among all the EU supervisory authorities, having issued penalties totalling €3.5bn since the GDPR came into force in May 2018 - more than four times the €746.4m in fines issued by the second-placed Luxembourg National Commission for Data Protection (which is even smaller than the Irish Commission), and forming nearly 60% of the €5.9bn overall total from across the whole EU.

In further examples, in August 2024, the Dutch data protection authority issued a fine of €290 million (£241m) against the ride-hailing app Uber in relation to transfers of personal data to a third country.  Also last year, the Spanish AEPD issued 2 fines totalling €6.2 million (£5.1m) against a large bank for inadequate security measures, and the Italian Garante fined a single utility provider €5 million (£4.1m) for using out-of-date customer data.

However, with the Information Commissioner John Edwards telling The Times in November 2023 that he does not agree that fines are likely to have the greatest impact (on any organisation, be it public or private sector, presumably) and that they would possibly tie his office up in years of litigation, the ICO’s unconvinced, even hesitant, approach to fining is likely to continue into 2025 and for the foreseeable future.  The evidence may emerge in 2025 as to whether this more cautious approach does indeed have a greater ‘impact’ on reducing data breach incidents in the UK.  Whether it bears fruit we will, again, have to wait and see.  But for the time being there remains a clear disparity in philosophy between the UK regulator and the EU’s data protection authorities on this basic issue.

The £0.75m and £350,000 monetary penalties for the PSNI and MOD for infringements of the UK GDPR were the highest issued in 2024.  However, overall, the fines for breaches of the PECR emarketing rules exceeded the total for UK GDPR violations (roughly £1.6m as opposed to around £1.1m).  This was the reverse of the situation in 2023, where the sum total of GDPR fines far outstripped that for PECR (again, largely the product of the ‘TikTok effect’ that year).

In 2023 and 2024, the Information Commissioner wrote to companies operating the UK’s 200 most visited websites regarding their use of cookies, expressing concern that these companies were not following its guidance on website design and not providing users with adequate choice as to whether their activities were being tracked for personalised marketing.  This national cookies compliance check was expanded in January 2025 to include the top 1,000 websites in the UK.  The ICO’s crackdown on cookies non-compliance came too late to be reflected in 2023’s fines and has, so far, resulted in only one instance of enforcement action in 2024. This was not a fine, but a reprimand, issued to Bonne Terre Ltd t/a Sky Betting and Gaming for having defective procedures for gathering users’ consent to advertising cookies on its website.  However, we will continue to track how the regulator’s heightened vigilance on this matter develops, and whether there is any increase in the number of fines for breaches of the relevant legislation during the coming year (to learn more about how to ensure your use of cookies is compliant, read our blog on Are You Getting Cookies Compliance Wrong?).

URM will continue to monitor all future ICO fines, reprimands and enforcement notices – let’s see what 2025 brings!