The Numbers
The General Data Protection Regulation has been enforceable since May 25, 2018. Nearly eight years later, the enforcement record is substantial enough to draw meaningful conclusions about where supervisory authorities focus their attention — and where organisations continue to fall short.
According to the DLA Piper GDPR Fines and Data Breach Survey published in January 2026, cumulative GDPR fines since 2018 have surpassed EUR 7.1 billion. The 2025 calendar year accounted for approximately EUR 1.2 billion of that total, broadly in line with 2024 levels. The trajectory is not one of exponential growth, but of sustained, high-level enforcement that shows no sign of declining.
These figures deserve context. The headline total is dominated by a small number of very large fines — primarily against US-headquartered technology companies operating across the European Economic Area. Strip out the top ten fines and the cumulative total drops substantially. But the long tail matters too: hundreds of smaller fines, ranging from a few thousand to several million euros, signal that enforcement is not reserved for Big Tech. National data protection authorities are actively pursuing organisations of all sizes across every sector.
The enforcement record also reflects a maturing regulatory ecosystem. Early years saw relatively modest fines as authorities built capacity and established precedent. From 2021 onwards, the scale and frequency of enforcement increased markedly, driven by landmark decisions on consent, international transfers, and data subject rights.
The Largest Fines
The ten largest GDPR fines to date illustrate where regulators see the most serious compliance failures. Several common threads run through these cases: consent management, international data transfers, and transparency obligations.
| Rank | Organisation | Amount (EUR) | Authority | Year | Primary Violation |
|---|---|---|---|---|---|
| 1 | Meta (Facebook) | 1.2 billion | Ireland DPC | 2023 | Cross-border transfers to US (Chapter V) |
| 2 | Amazon | 746 million | Luxembourg CNPD | 2021 | Targeting and consent violations |
| 3 | TikTok | 530 million | Ireland DPC | 2025 | Data transfers to China, children's data |
| 4 | Meta (Facebook) | 390 million | Ireland DPC | 2023 | Consent for behavioural advertising (Art. 6/7) |
| 5 | Meta (Instagram) | 405 million | Ireland DPC | 2022 | Children's data processing |
| 6 | Meta (WhatsApp) | 225 million | Ireland DPC | 2021 | Transparency obligations |
| 7 | Clearview AI | Multiple | FR, IT, GR, UK | 2022 | Unlawful facial recognition processing |
| 8 | Criteo | 40 million | France CNIL | 2023 | Consent for ad tracking |
| 9 | H&M | 35 million | Germany (Hamburg) | 2020 | Employee surveillance |
| 10 | TIM (Telecom Italia) | 27.8 million | Italy Garante | 2020 | Unsolicited marketing, consent |
Several observations stand out from this list.
International transfers dominate the largest fines. The two biggest individual penalties — Meta's EUR 1.2 billion fine and TikTok's EUR 530 million fine — both concern transfers of personal data outside the EEA without adequate safeguards. These cases reflect a regulatory priority that intensified following the Schrems II judgment in July 2020 and the subsequent uncertainty around EU-US data flows, only partially resolved by the EU-US Data Privacy Framework adopted in July 2023.
Consent failures are the most common trigger. Across the top ten and beyond, consent-related violations under Articles 6 and 7 account for the largest share of enforcement actions. Regulators have consistently found that organisations rely on consent mechanisms that do not meet the GDPR's requirements for freely given, specific, informed, and unambiguous consent — particularly in the context of online advertising and behavioural tracking.
Appeals can reshape outcomes. Several of these fines are or were subject to appeal. Amazon's EUR 746 million fine has been challenged before Luxembourg courts. The appeal process can take years and may result in significant reductions, but the reputational impact of the original decision is immediate and largely irreversible.
Violation Type Breakdown
Analysing enforcement actions across all authorities — not just the headline fines — reveals a consistent pattern in which GDPR provisions attract the most scrutiny.
Consent and Lawful Basis (Articles 6 and 7)
Consent violations remain the single largest category of enforcement action by both frequency and cumulative fine value. The issues are well-documented but persistent: pre-ticked boxes, bundled consent, consent buried in terms of service, cookie banners that default to acceptance, and insufficient granularity in consent requests. Regulators have also challenged organisations that rely on legitimate interest as a legal basis without conducting the required balancing test.
International Data Transfers (Chapter V)
The post-Schrems II enforcement wave has produced some of the largest individual fines in GDPR history. Even with the EU-US Data Privacy Framework in place since 2023, transfers to countries without adequacy decisions — and the mechanisms used to safeguard them (Standard Contractual Clauses, Binding Corporate Rules) — remain an area of active enforcement. The TikTok decision in 2025 confirmed that transfers to China face particularly intense scrutiny.
Data Breach Notification (Articles 33 and 34)
Failure to notify supervisory authorities within the 72-hour window mandated by Article 33, or failure to communicate breaches to affected data subjects under Article 34, generates a steady stream of enforcement actions. These tend to involve smaller fines individually but affect a far wider range of organisations than the headline consent and transfer cases.
Data Protection Impact Assessments (Article 35)
Failures to conduct DPIAs before high-risk processing — or conducting them as a retrospective compliance exercise rather than a genuine risk assessment tool — have drawn increasing attention from authorities. The obligation applies to systematic monitoring, large-scale processing of special category data, and innovative uses of technology including AI and automated decision-making.
Data Subject Rights (Articles 15-22)
Delayed or incomplete responses to access requests, failures to honour erasure requests, and obstacles placed in the way of data portability have all resulted in enforcement action. While individual fines for data subject rights violations tend to be smaller, the volume of complaints in this category is high, and authorities treat systematic failures as indicative of broader compliance deficiencies.
The DPA Landscape
GDPR enforcement is not centralised. Thirty data protection authorities across the EEA each bring their own priorities, resources, and enforcement culture. The result is an enforcement landscape that varies significantly by jurisdiction.
Ireland: The Big Tech Regulator
The Irish Data Protection Commission (DPC) occupies a unique position in the GDPR enforcement ecosystem. Because Meta, Google, Apple, Microsoft, TikTok, and many other major US technology companies have their European headquarters in Ireland, the DPC acts as lead supervisory authority for cross-border processing by these companies under the GDPR's one-stop-shop mechanism.
This has made the DPC responsible for several of the largest GDPR decisions ever issued — including the record EUR 1.2 billion fine against Meta and the EUR 530 million fine against TikTok. It has also made the DPC a lightning rod for criticism from other authorities and privacy advocates who have argued that the Commission was too slow to act and too accommodating to the technology industry.
The DPC's enforcement pace has accelerated markedly since 2022, driven in part by the European Data Protection Board's (EDPB) increasing willingness to use its dispute resolution mechanism under Article 65 to override DPC draft decisions that other authorities consider insufficiently robust.
France: High Volume, Broad Reach
The Commission nationale de l'informatique et des libertés (CNIL) is one of the most active enforcement authorities by number of decisions. CNIL has pursued enforcement actions across a wide range of sectors and organisation sizes, from major adtech companies like Criteo (EUR 40 million) to smaller organisations processing data without adequate safeguards. CNIL has been particularly active on cookie consent enforcement and has published detailed guidance that has influenced enforcement approaches across the EEA.
Italy and Spain: Volume Leaders
The Italian Garante per la protezione dei dati personali and the Spanish Agencia Espanola de Proteccion de Datos (AEPD) consistently rank among the most active authorities by volume of enforcement decisions. Both issue a high number of smaller fines, reflecting active complaint-handling processes and a willingness to pursue enforcement against domestic organisations. The AEPD in particular has a streamlined procedure for lower-value fines that allows it to process a large number of cases efficiently.
Cross-Border Enforcement Friction
The one-stop-shop mechanism — designed to ensure consistent enforcement by routing cross-border cases through a single lead supervisory authority — has been the source of persistent friction. Concerned supervisory authorities in other member states have frequently disagreed with draft decisions from lead authorities, particularly the Irish DPC, triggering the EDPB's dispute resolution process.
These disputes have delayed decisions by months or years and have revealed fundamental disagreements between national authorities about the appropriate interpretation and application of GDPR provisions. The result has been regulatory uncertainty for multinational organisations that cannot predict how long a decision will take or how the final outcome will compare to the lead authority's initial position.
Breach Notification: 443 Reports Per Day
The DLA Piper survey's breach notification data is striking. Across the EEA, data protection authorities now receive an average of 443 breach notifications per day. This volume reflects both the breadth of the notification obligation — any personal data breach that poses a risk to individuals must be reported within 72 hours — and the extent to which organisations have embedded notification procedures into their incident response workflows.
However, the notification statistics also reveal persistent challenges. A significant proportion of notifications arrive outside the 72-hour window, exposing organisations to enforcement action for the notification failure itself, regardless of the underlying breach. Common causes include delayed internal detection, uncertainty about whether a breach meets the notification threshold, and organisational complexity that slows the escalation path from security team to DPO to supervisory authority.
The 72-hour clock starts when the controller becomes aware of the breach — a concept that has been interpreted strictly by regulators. Awareness is not limited to the moment a senior executive is informed; it includes the point at which any employee or processor with responsibility for data security identifies a breach or reasonably should have identified one. Organisations that build in unnecessary internal review stages before triggering the notification process risk missing the deadline.
For organisations operating across multiple EEA jurisdictions, breach notification adds another layer of complexity. The lead supervisory authority must be notified, but where the breach affects data subjects in multiple member states, the organisation may also need to communicate with additional authorities and with affected individuals in multiple languages.
GDPR Procedural Reform
The European Union has recognised that the cross-border enforcement mechanism needs reform. In 2024, the EU adopted a regulation establishing procedural rules for the enforcement of GDPR in cross-border cases, directly addressing the bottlenecks in the one-stop-shop mechanism that have delayed major decisions.
The procedural regulation introduces several changes designed to accelerate cross-border enforcement:
- Earlier engagement of concerned supervisory authorities in investigations, reducing the scope for disagreement at the draft decision stage
- Standardised procedural rights for parties under investigation, addressing inconsistencies between national administrative procedures
- Clearer timelines for each stage of the cross-border enforcement process
- Strengthened EDPB dispute resolution to resolve disagreements between authorities more efficiently
Separately, the European Commission's Digital Omnibus package, proposed in late 2025, includes amendments to the GDPR itself. While the full scope of these proposed amendments is still under legislative review, they signal a recognition that the regulation's procedural framework requires adjustment to keep pace with enforcement demands.
For compliance teams, the practical implication is that cross-border GDPR cases should be resolved faster in the coming years. The flip side is that faster resolution means less time to remediate issues between investigation and decision — reinforcing the case for proactive compliance rather than reactive response.
Lessons for Compliance Teams
Eight years of enforcement data provides a clear signal about where GDPR compliance programmes should allocate resources. The pattern is consistent across authorities, sectors, and organisation sizes.
Consent Management Requires Ongoing Investment
Consent is the most enforced area of the GDPR and remains the area where organisations most frequently fall short. A compliant consent mechanism is not a one-time implementation — it requires continuous review as processing activities evolve, as regulatory guidance is updated, and as user interfaces change. Organisations should treat consent management as an operational process, not a project with a completion date.
Key areas to audit: cookie consent mechanisms, email marketing opt-ins, mobile app permissions, and any processing that relies on consent as its legal basis. For each, verify that consent is freely given, specific, informed, and unambiguous — and that withdrawal is as easy as giving consent.
Data Protection Impact Assessments Are Not Optional
DPIAs for high-risk processing are a legal obligation, not a best practice recommendation. The enforcement record shows that authorities are increasingly scrutinising whether DPIAs were conducted before processing began, whether they adequately assessed risks, and whether their conclusions were acted upon. Retrospective DPIAs conducted after processing is already underway do not satisfy the Article 35 obligation.
Organisations deploying AI systems, automated decision-making, or large-scale profiling should prioritise DPIAs as an integral part of the development process, not a compliance afterthought.
Breach Notification Procedures Need Testing
With 443 breach notifications per day across the EEA, supervisory authorities are well-positioned to identify organisations whose notification procedures are inadequate. The 72-hour deadline is strict and begins from the point of awareness, not from the point of executive sign-off.
Incident response plans should include clear escalation procedures, pre-drafted notification templates, and regular tabletop exercises that test the organisation's ability to meet the 72-hour window under realistic conditions. The notification process should also account for multi-jurisdiction reporting requirements and communication with affected data subjects.
International Transfer Mechanisms Need Continuous Monitoring
The legal basis for international data transfers remains one of the most dynamic areas of GDPR compliance. The EU-US Data Privacy Framework provides a mechanism for transfers to certified US organisations, but transfers to other third countries — and the adequacy of Standard Contractual Clauses and Binding Corporate Rules — require ongoing assessment. The TikTok decision confirmed that transfers to China face particular scrutiny, and organisations should conduct transfer impact assessments for all data flows outside the EEA.
Enforcement Outlook: 2026-2027
Several trends are likely to shape GDPR enforcement over the next two years.
AI processing will attract enforcement attention. As organisations deploy large language models, automated decision-making systems, and AI-powered profiling, data protection authorities are expected to scrutinise the legal basis for training data processing, the adequacy of DPIAs for AI systems, and compliance with automated decision-making provisions under Article 22. The intersection of the GDPR and the EU AI Act (Regulation EU 2024/1689) will create overlapping compliance obligations that require coordinated assessment.
Adtech enforcement will intensify. Cookie consent enforcement has been a consistent theme, but the next phase is likely to target the real-time bidding ecosystem and the broader programmatic advertising supply chain. Several authorities have signalled investigations into whether the scale and speed of data sharing in programmatic advertising can be reconciled with GDPR consent and transparency requirements.
Procedural reform will accelerate cross-border cases. The new procedural regulation should reduce the timeline for cross-border decisions, meaning that organisations may face enforcement actions sooner than the multi-year timelines seen in early landmark cases. This compresses the window for remediation and increases the importance of proactive compliance.
Children's data protection will remain a priority. The TikTok and Meta Instagram fines established that processing children's data without adequate safeguards attracts severe penalties. Authorities across the EEA have identified age verification, children's consent mechanisms, and child-appropriate design as enforcement priorities.
Sustained fine levels. While the enforcement trajectory is not one of unlimited growth, there is no indication that fine levels will decline. The EUR 1.2 billion figure for 2025, broadly matching 2024, suggests a plateau at historically high levels rather than continued acceleration. Organisations should plan on the basis that GDPR enforcement is a permanent feature of the European regulatory landscape, not a transitional phase.
Sources
- DLA Piper, "GDPR Fines and Data Breach Survey," January 2026
- Irish Data Protection Commission, Decision on Meta Platforms Ireland (Case IN-20-5-2), May 2023
- Commission nationale de protection des donnees (Luxembourg), Decision on Amazon Europe Core, July 2021
- Irish Data Protection Commission, Decision on TikTok Technology Limited, May 2025
- Irish Data Protection Commission, Decision on Meta Platforms Ireland (Cases IN-18-5-5 and IN-18-5-6), January 2023
- European Data Protection Board, Dispute Resolution Decisions under Article 65 GDPR, 2021-2025
- Regulation (EU) 2024/... of the European Parliament and of the Council laying down procedural rules relating to enforcement of the GDPR in cross-border cases
- European Commission, Digital Omnibus Package, 2025
- Regulation (EU) 2024/1689 (EU AI Act)