GDPR Enforcement 2024: Analyzing High-Profile Complaints and Data Subject Rights Compliance

Introduction: The Rising Tide of GDPR Enforcement

Since its entry into force on 25 May 2018, the General Data Protection Regulation (GDPR) has reshaped the global privacy landscape. In 2024, enforcement has intensified, with privacy organizations like noyb leading the charge against systematic non-compliance. High-profile complaints targeting airlines, credit agencies, and major tech platforms underscore a critical trend: regulators and advocates are zeroing in on violations of fundamental data subject rights. For businesses, this means that merely having a privacy policy is no longer sufficient—proactive, operational compliance is essential to avoid penalties that can reach up to EUR 20 million or 4% of global annual turnover. This article analyzes key GDPR enforcement actions in 2024, drawing insights from noyb complaints to help organizations strengthen their data governance frameworks.

Key GDPR Complaints in 2024: A Deep Dive

Privacy organizations have filed several landmark complaints this year, highlighting specific GDPR violations. Here are four notable cases that illustrate common pitfalls.

Wizz Air: Charging for Data Rectification

In a complaint filed with Austrian authorities, noyb alleged that Wizz Air violated Article 12(5) GDPR by charging an Austrian passenger €35 in phone fees to update her surname and email address after a name change. The GDPR mandates that data subject requests, including rectification under Article 16, must be provided free of charge. Wizz Air’s customer service reportedly restricted online updates to marriage-related changes, forcing the passenger to use a paid hotline. Even after a 32-minute call, the airline failed to update the email address, leading to missed flight cancellation notifications. noyb argues this represents a systematic failure to facilitate free and timely data corrections, potentially endangering passengers during emergencies. The complaint could result in fines up to €97 million, emphasizing the financial risks of non-compliance with basic data subject rights.

CRIF: Credit Scoring Without Stored Data

Privacy organization noyb.eu filed a complaint against credit rating agency CRIF for generating a negative credit score (446/700) for an individual without storing any personal data about them. The score, based solely on request data (name, address, date of birth), led an electricity company to refuse a contract with the debt-free individual. This practice raises alarms under Article 5 GDPR (data accuracy principle) and Article 22 GDPR (right to explanation of automated decisions). CRIF defended its process as a trade secret, but noyb contends this leaves consumers powerless. The case highlights opaque algorithms in credit scoring and challenges to GDPR compliance, with potential fines up to EUR 20 million. It also connects to broader AI governance issues, as automated decision-making systems must be transparent and accountable—principles reinforced by regulations like the EU AI Act.

KSV 1870: Exploiting Access Requests for Commercial Gain

noyb filed a complaint against Austrian credit reference agency KSV 1870 for systematically violating the GDPR’s purpose limitation principle. KSV collects identification data (name, address, date of birth) from individuals exercising their Article 15 GDPR right of access, then stores this data in its commercial database without permission for credit scoring purposes. This repurposing of data violates Article 5(1)(b) GDPR, which requires that personal data be collected for specified, explicit, and legitimate purposes. The practice creates a chilling effect, where individuals fear exercising their data subject rights due to potential database expansion. This case underscores enforcement challenges with data-driven businesses that disregard fundamental principles, mirroring concerns in other sectors like AI governance in healthcare where data misuse can have severe consequences.

Tech Giants: TikTok, AliExpress, and WeChat

noyb filed GDPR complaints against TikTok, AliExpress, and WeChat for violating data subject access rights under Article 15 GDPR. The complaints allege that these companies failed to provide complete, structured, and accessible copies of personal data to European users upon request. Specifically, TikTok provided partial data in an unstructured format, AliExpress supplied a broken file, and WeChat ignored the request entirely. These actions hinder users’ ability to verify lawful data processing and compliance with GDPR provisions, including data transfers to China. The complaints, filed with data protection authorities in Belgium, Greece, and the Netherlands, seek declarations of violations, orders to fulfill access requests, and potential fines up to 4% of global revenue. They follow earlier complaints regarding unlawful data transfers, with some companies like SHEIN and Temu cooperating while others continued non-compliance. This highlights ongoing challenges in enforcing GDPR against major tech firms, particularly those based in China, and aligns with broader regulatory scrutiny seen in DSA and AI governance cases.

Common Themes Across GDPR Incidents

Analyzing these complaints reveals recurring patterns that businesses must address to avoid similar pitfalls.

Systematic Non-Compliance with Data Subject Rights

Many complaints involve companies failing to operationalize GDPR rights like access (Article 15), rectification (Article 16), and explanation of automated decisions (Article 22). For example, Wizz Air’s fee structure and KSV 1870’s data repurposing show how procedural barriers can undermine these rights. This suggests that organizations often treat GDPR compliance as a checkbox exercise rather than embedding it into daily operations. Regular audits and staff training are crucial to prevent such systemic failures.

Consent and Legal Basis Issues

Cases like the Facebook proceedings in Vienna highlight disputes over legal bases for processing. Facebook claims GDPR consent is unnecessary due to an “advertising contract” with users under Article 6(1)(b) GDPR, while plaintiffs argue this circumvents consent requirements. A Gallup study cited in the case shows only 4% of users actually want advertising, raising questions about valid consent. Businesses must ensure their legal bases are robust and transparent, especially as regulations like the EU AI Act impose stricter requirements for high-risk AI systems.

Data Minimization and Accuracy Failures

CRIF’s credit scoring without stored data and KSV 1870’s data collection practices violate principles of data minimization (Article 5(1)(c)) and accuracy (Article 5(1)(d)). These incidents show that collecting or using data beyond what is necessary can lead to significant compliance risks. Organizations should implement data governance frameworks that enforce these principles, similar to approaches recommended for AI governance in emerging technologies.

Legal and Regulatory Insights: Enforcement Priorities

Recent rulings and regulatory developments provide context for these enforcement actions.

The European Data Protection Board (EDPB) and Court of Justice of the European Union (CJEU) have emphasized strict interpretation of GDPR provisions. For instance, CJEU rulings on Meta have clarified requirements for data transfers and consent. In 2024, enforcement priorities appear focused on:

• Data Subject Rights: As seen in the noyb complaints, regulators are prioritizing violations of access, rectification, and explanation rights.
• Transparency and Accountability: Cases like CRIF highlight demands for explainability in automated decisions, echoing trends in AI governance.
• Cross-Border Compliance: Complaints against Chinese tech firms underscore challenges with international data flows and enforcement cooperation.

These priorities align with broader regulatory trends, such as the EU AI Office’s oversight of general-purpose AI models, which also stress transparency and user rights. Businesses should monitor these developments to stay ahead of compliance requirements.

Practical Compliance Steps for Businesses

To mitigate risks and ensure GDPR compliance, organizations should adopt proactive measures. Here are actionable steps based on the analyzed incidents.

Implement Robust Data Governance

Establish clear policies for handling data subject requests, including access, rectification, and objection. Ensure processes are free of charge and timely, as required by Articles 12 and 16. Use automated workflows to track requests and responses, reducing the risk of errors or delays. Tools like AIGovHub’s data privacy solutions can help streamline these processes with features for GDPR readiness assessments and vendor comparisons.

Conduct Regular Audits and Training

Regularly audit data processing activities to ensure compliance with principles like purpose limitation, data minimization, and accuracy. Train employees on GDPR requirements, especially customer-facing staff who handle data subject requests. Learning from incidents like Wizz Air’s hotline issues can prevent similar operational failures.

Leverage Automated Compliance Tools

Use technology to monitor compliance and identify gaps. For example, automated tools can flag unauthorized data repurposing (as in KSV 1870’s case) or ensure structured data provision (as lacking in TikTok’s response). AIGovHub offers tools for continuous compliance monitoring, helping businesses stay aligned with GDPR and related regulations like the EU AI Act.

Review Legal Bases and Consent Mechanisms

Reassess legal bases for data processing, ensuring they are valid and documented. Avoid relying on questionable justifications like Facebook’s “advertising contract.” Implement clear consent mechanisms where required, and regularly review them for compliance. This is especially important as AI systems, such as those used in hiring, face stricter scrutiny under regulations like NYC Local Law 144 and the EU AI Act.

Conclusion: The Imperative of Proactive Compliance

The GDPR enforcement trends of 2024 demonstrate that data privacy is not a static requirement but an evolving challenge. High-profile complaints by noyb and other organizations reveal systemic issues in data subject rights compliance, consent, and data governance. For businesses, the stakes are high—financial penalties, reputational damage, and operational disruptions. By learning from these cases and implementing robust compliance frameworks, organizations can turn regulatory requirements into competitive advantages. Proactive measures, supported by tools like AIGovHub’s compliance solutions, are essential to navigate this complex landscape and build trust with customers and regulators alike.

Key Takeaways

• GDPR enforcement in 2024 has focused heavily on violations of data subject rights, such as access (Article 15) and rectification (Article 16).
• Common themes include systematic non-compliance, consent issues, and failures in data minimization and accuracy.
• High-profile complaints against Wizz Air, CRIF, KSV 1870, and tech giants highlight the financial and reputational risks of non-compliance.
• Legal and regulatory insights emphasize transparency, accountability, and cross-border enforcement as priorities.
• Practical steps for businesses include implementing robust data governance, conducting regular audits, leveraging automated tools, and reviewing legal bases.
• Proactive compliance is crucial to avoid penalties up to EUR 20 million or 4% of global turnover and to align with broader regulations like the EU AI Act.

Ready to strengthen your GDPR compliance? Explore AIGovHub’s data privacy tools for automated assessments and vendor comparisons to ensure your organization meets regulatory requirements. Learn more here.