anonym.legal

By · Last updated 2026-05-29

Back to BlogGDPR & Compliance

Irish DPC: 80% of EU GDPR Mega-Fines

€530M TikTok, €310M LinkedIn, €251M Meta — all from Ireland's DPC. Here's why Ireland hosts Big Tech's EU HQs and what DPC enforcement means for SaaS.

May 29, 20268 minute read
Irish DPCIreland GDPRTikTok GDPR fineBig Tech enforcementEU data protection

Why Ireland Leads EU Enforcement

The Irish Data Protection Commission (DPC) is the lead authority for most large EU tech companies. This is not an accident.

Ireland's low tax rate drew Apple, Google, Meta, LinkedIn, and TikTok. They all set up their main EU offices there.

GDPR Article 60 makes the DPC the lead authority for these firms. Three things follow from this rule.

First, a complaint in Germany about Facebook goes to the Irish DPC, not the German BfDI. Second, the DPC works with other EU bodies on cross-border cases. Third, a DPC ruling against Meta applies across the entire EU.

The result is clear. The DPC has issued more fine value than all other EU bodies combined. See our GDPR compliance overview on how this shapes vendor decisions.

Three Fines That Define 2024–2025

€530M against TikTok (May 2025): Chinese engineers accessed EU user records. This broke GDPR Articles 44–46. Those rules restrict transfers to countries without an EU adequacy ruling. China has none. TikTok claimed it had adequate controls. The DPC said it did not.

€310M against LinkedIn (October 2024): LinkedIn relied on "legitimate interest" for behavior analysis. The DPC found this invalid. The processing was not needed for the stated goal. The balance test did not favor LinkedIn.

€251M against Meta (November 2024): The 2018 Facebook breach was not reported to the DPC in time. The DPC also found that poor audit logs made it impossible to measure what was exposed.

These three joined the earlier €1.2B Meta fine from May 2023. That fine came from the DPC too, for illegal EU-US transfers. It remains the largest GDPR penalty ever issued.

The DPC handled over 8,500 cross-border cases in 2024. Browse our security and compliance page to see how zero-knowledge design addresses each failure.

What Each Fine Reveals

Cross-Border Access Failures

All three fines share one core issue. Personal records were open to staff in countries without EU-level privacy rules.

TikTok's fine was direct. EU user files reached Chinese engineers despite stated controls.

What this means for vendor selection: Ask whether non-EU engineers can reach EU-hosted records. A vendor may host in Dublin but still expose EU files via US-based support staff. EU residency alone is not enough. Our entity processing guide shows how access controls map to GDPR Article 46.

Lawful Basis Failures

LinkedIn's fine was not about a breach. It was about how LinkedIn justified its processing.

"Legitimate interest" is not a blanket right. Controllers must document a genuine balance test. That test must show their interest outweighs the user's rights. Our compliance page covers how to review vendor lawful basis claims.

Logging and Notice Failures

Meta's €251M fine included a key finding. Poor audit logs made breach scope impossible to measure.

GDPR Article 33 requires breach notice within 72 hours. That notice must include the scope of records affected. You cannot report scope you cannot measure.

Ask prospective vendors about their audit log structure. If a vendor cannot answer "which records were exposed?" after an incident, they fail Article 33(3)(b).

The Pattern Across DPC Cases

Read across all four major DPC fines and one pattern appears. Regulators act against designs where vendor engineers can see user content. Every major fine involved poorly controlled access to personal records.

Zero-knowledge design addresses the core concern in each case. User content is encrypted. The vendor holds no decryption keys.

For TikTok and Meta transfer cases, non-EU engineers reach the server but see only ciphertext. No readable records are exposed. For the Meta breach case, a full server compromise yields nothing useful. Breach scope shrinks. For LinkedIn, a vendor that never sees plain text cannot run behavior analysis on it.

This is the direct answer to each DPC action. See our security overview for details, or our founder statement on why anonym.legal was built this way from day one.

What "Main Establishment" Means

Some companies route their EU structure to control which DPA has jurisdiction. The DPC's view matters here.

"Main establishment" is not just a company address. It is where central EU management sits. For controllers, it is where decisions about processing goals are made.

A firm with a London privacy team may have no EU main establishment. Each member state's DPA could then assert authority for local complaints.

Vendor Review Questions

Use these questions when you assess SaaS vendors that handle personal records.

Jurisdiction and access:

  • Where is the vendor's EU main establishment?
  • Can non-EU staff access EU user records in normal work?
  • Is the vendor's parent subject to the CLOUD Act or China's security laws?

Technical design:

  • Does EU user content stay on EU-hosted servers?
  • Does the vendor hold encryption keys, or does the customer?
  • Are audit logs detailed enough to measure breach scope?

Transfer records:

  • What GDPR Article 46 mechanism covers any EU-US flows?
  • Has the vendor done a Transfer Impact Assessment?
  • What extra technical measures are in place?

DPC enforcement is consistent on one point. Even firms with privacy teams and DPOs face large fines when their technical design does not match their claims. See our case studies and FAQ for more.

anonym.legal uses EU-based Hetzner servers with zero-knowledge design. Servers hold only AES-256-GCM ciphertext. A full breach exposes no readable records. The Desktop App processes all content on-device with no external links.

Sources

Related Articles

GDPR & Compliance

Japan My Number: Verhoeff & APPI

63% of generic tools fail My Number detection in Japanese documents. My Number uses Verhoeff algorithm — the most complex national ID checksum in Asia.

GDPR & Compliance

HDPA Greece: AFM & AMKA Detection

Greek AFM detected with 52% accuracy by generic tools. HDPA issued 89 decisions in 2024 — up 162% from 2022. Tourism and maritime sectors face distinct.

GDPR & Compliance

NAIH Hungary: TAJ-Szám and Adóazonosító Jel

Hungarian NER accuracy is 67% vs. EU average 82% — NAIH's 2024 assessment. TAJ-szám weighted checksum and adóazonosító jel detection gaps.

Ready to protect your data?

Start anonymizing PII with 285+ entity types across 48 languages.

Start Free TrialView Features

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.