Executive Summary

Analysis of GDPR enforcement and data breach notification trends across the European Economic Area (EEA) and the UK reveals a landscape of sustained high-level regulatory activity, significant financial penalties, and an evolving legal framework. Annual fines have stabilized at approximately €1.2 billion for the years ending January 2025 and January 2026, reversing a previous downward trend. The cumulative total of all GDPR fines since May 2018 has now reached €7.1 billion.

Ireland remains the dominant enforcer, with its Data Protection Commission (DPC) responsible for €4.04 billion in total fines, largely due to its role as the lead supervisory authority for major technology firms. While “Big Tech” continues to be the primary target for record-breaking penalties, regulators, particularly in Spain and Italy, are actively fining organizations across diverse sectors.

A critical development is the significant increase in data breach notifications. After several years of leveling off, the daily average of breach notifications surged by 22% in the year to January 2026, reaching 443 per day. This uptick is attributed to heightened geopolitical tensions driving more cyber-attacks and increased regulatory focus on incident reporting.

Download: gdprfinesdlapiper

Download: gdprfinesjan2026-compressed gdprfinesjan2026-compressed.pdf923 KB.a{fill:none;stroke:currentColor;stroke-linecap:round;stroke-linejoin:round;stroke-width:1.5px;}download-circle

I. GDPR Fine Enforcement: Scale and Scope

GDPR enforcement has maintained a high level of financial penalties. The aggregate value of fines has stabilized after a decrease in the 2024 reporting period, which was skewed by a single record-breaking fine.

  • Year to 27 Jan 2025: €1.2 billion in fines were issued. This was a 33% decrease from the previous year’s €1.78 billion, a figure largely composed of the €1.2 billion Meta fine from 2023.- Year to 28 Jan 2026: Approximately €1.2 billion in fines were issued, matching the previous year’s total and reversing the downward trend.- **Cumulative Total (since 25 May 2018):**As of January 2025: €5.88 billion- As of January 2026: €7.1 billion

Country League Table for Aggregate Fines

Ireland continues to lead substantially in the total value of fines imposed, a direct consequence of being the European headquarters for many major technology companies.

Rank

Country

Total Fines (as of Jan 2026)

Key Drivers

1

Ireland

€4.04 billion

Eight of the top ten largest fines to date.

2

France

€1.1 billion

Broad enforcement across GDPR and e-privacy regimes.

3

Luxembourg

€746.56 million

Primarily due to a single €746m fine against a US online retailer.

Top Individual Fines Imposed

The largest fines continue to be levied against major technology and social media companies. The record €1.2 billion fine against Meta from 2023 remains unsurpassed.

Rank

Value (EUR)

Recipient

Issuing Authority

Year

Primary Reason

1

€1.2 billion

Meta Platforms Ireland Ltd

Irish DPC

2023

Unlawful transfers of personal data to the US following the Schrems II judgment.

2

€746 million

US online retailer

Luxembourg CNPD

2021

Details not public; fine upheld on appeal in March 2025.

3

€530 million

Social Media Company

Irish DPC

2025

Unlawful transfers of personal data to China.

4

€405 million

Meta (Instagram)

Irish DPC

2022

Breaches related to the processing of children’s data.

5

€345 million

Social Media Company

Irish DPC

2023

Failures related to the lawfulness of processing for advertising purposes.

6

€310 million

LinkedIn

Irish DPC

2024

Lack of lawful basis for behavioural analysis and targeted advertising.

7

€290 million

Ride-hailing app

Dutch DPA

2024

Unlawful transfers of personal data to a third country.

Sectoral Focus

While nine of the ten largest fines have been imposed on technology and social media giants, regulators are not exclusively focused on this sector. Supervisory authorities in countries like Spain and Italy have issued a high volume of smaller fines across a broad range of industries, including:

  • Financial Services: Fines in Spain (€6.2m against a large bank) and Poland (€870,000 for failure to notify a breach).- Energy/Utilities: A €5m fine in Italy against a utility provider for using outdated data and failing to respond to data subject requests.- Healthcare: Fines for breaches of security and confidentiality principles are common across jurisdictions.

After years of plateauing, the number of data breach notifications has seen a significant year-on-year increase, signaling heightened awareness or a rise in incidents.

  • Year to Jan 2025: The trend of leveling off continued, with a small increase to an average of 363 breach notifications per day.- Year to Jan 2026: A substantial 22% increase was recorded, with the daily average reaching 443 notifications. This is the first time the average has exceeded 400 per day.

The rise is attributed to factors including a more volatile geo-political landscape leading to more cyber-attacks, increased media focus, and new laws with incident notification requirements (e.g., NIS2, DORA).

Leading Countries for Breach Notifications (Total Volume)

The same countries consistently report the highest number of breaches.

  • Top 3 (Year to Jan 2025): The Netherlands (33,471), Germany (27,829), and Poland (14,286).- Top 3 (Year to Jan 2026): The Netherlands (39,773), Germany (34,467), and Poland (19,065).

Per Capita Rankings

When adjusted for population, smaller, digitally advanced nations lead in reporting.

  • Top 3 (per 100,000 population, Year to Jan 2026): The Netherlands (223.79), Liechtenstein (182.47), and Denmark (167.12).

III. Key Enforcement Priorities and Themes

Regulators across Europe have demonstrated consistent focus on several core areas of the GDPR.

A. Core GDPR Principles

  • Lawfulness, Fairness, and Transparency (Art. 5(1)(a)): This remains a top enforcement priority.LinkedIn (€310m, Irish DPC, 2024): Fined for invalid consent and lack of contractual necessity or legitimate interests for processing data for behavioural advertising.- Avast Software (€14m, Czech DPA, 2024): Fined for misleading users about the transfer of pseudonymized data, which was not truly anonymized and was used for purposes beyond what was stated.- Dutch Credit Reference Agency (€2.7m, Dutch AP, 2025): Fined for collecting data from various sources without adequately informing individuals and lacking a proper legal basis for processing. Integrity and Confidentiality / Security of Processing (Art. 5(1)(f) & Art. 32): Inadequate security measures are a frequent cause for fines, with an increasing focus on the entire supply chain.
  • Capita (€16m, UK ICO, 2025): Fined for failing to implement appropriate technical measures, leading to a major data theft.- German Telecom Provider (€30m, BfDI, 2025): Fined for authentication vulnerabilities in its customer portal. An additional €15m fine was issued for deficient data processing agreements.- Advanced Computer Software Group (€3.49m, UK ICO, 2025): In the ICO’s first fine against a processor, the IT provider was penalized for security failures that disrupted NHS services.

B. International Data Transfers

Transfers of personal data outside the EEA remain a high-risk area attracting significant penalties.

  • Ride-hailing App (€290m, Dutch DPA, 2024): Fined for failing to safeguard EU-US data transfers after the invalidation of the Privacy Shield.- Social Media Company (€530m, Irish DPC, 2025): Fined for transfers to China without ensuring an essentially equivalent level of data protection.- EU-US Data Privacy Framework (DPF): The framework faced a legal challenge from French MEP Philippe Latombe, which was dismissed by the EU General Court in September 2025. However, legal uncertainty persists, with an appeal filed and the potential for a Schrems III challenge on the horizon.

C. Artificial Intelligence (AI)

Regulators are actively scrutinizing AI development and deployment to ensure it stays “within the guard rails of the GDPR.”

  • **Enforcement Actions:**Clearview AI (€30.5m, Dutch DPA, 2024): Fined for its illegal collection of facial recognition data.- Luka Inc. (Replika Chatbot) (€5m, Italian Garante, 2025): Fined for failing to identify a legal basis for processing, lack of a fair processing notice, and no age verification. Regulatory Intervention: The Irish DPC’s engagement led X to suspend data processing for its Grok chatbot and Meta to pause its plans to use EU/EEA user data to train large language models.Guidance and Proposals: The EDPB has issued opinions on AI, and the proposed Digital Omnibus includes exceptions to allow for AI development under the “legitimate interest” basis, subject to safeguards.

The business model where users must either consent to data processing for advertising or pay a fee is under intense regulatory and judicial review.

  • EDPB Opinion (April 2024): The EDPB concluded that for large online platforms, this model would not satisfy the requirements for valid consent “in most cases,” as individuals must have a genuine free choice.- Austrian Court Ruling (2025): The Federal Administrative Court ruled that a newspaper’s “consent or pay” model resulted in invalid consent due to undue pressure and unlawful bundling of processing purposes.- UK’s Pragmatic Approach: In contrast, the UK’s ICO welcomed Meta’s shift to a “consent or pay” model, viewing its low price point as providing UK consumers with a fair choice.

E. Personal Liability of Directors

A significant new trend is the move by regulators to hold corporate leadership personally accountable for GDPR violations.

  • Key Quote: “2024 is the year when GDPR enforcement got personal.”- Clearview AI Case: In an unprecedented move, the Dutch DPA announced it was investigating whether it could “hold the management of the company personally liable” for ongoing GDPR violations.- Criminal Complaint: Following this, the privacy group NOYB filed a criminal complaint in Austria against Clearview AI Inc. and its managers in October 2025.

A. GDPR Compensation Claims (Article 82)

A series of landmark court rulings in 2025 have begun to clarify the ambiguous area of compensation for non-material damage.

  • CJEU (Sept 2025): Ruled that non-material damage can include negative feelings like fear or annoyance, but the mere assertion of such feelings is insufficient; claimants must provide evidence.- Irish Supreme Court (Dillon): Confirmed that claims for non-material damage do not require pre-authorization from the Injuries Resolution Board. However, it also stated that compensation awards for distress falling short of a psychiatric illness should be “very, very modest.”- UK Court of Appeal (Equiniti): Removed the “threshold of seriousness” previously required for non-material damage claims in English law. It also confirmed that fear of a breach alone can be sufficient for a claim, provided the fear is objectively justified.

B. Proposed EU GDPR Reforms (Digital Omnibus)

In November 2025, the European Commission proposed the “Digital Omnibus” initiative to simplify and harmonize the EU’s digital regulatory landscape. Key proposed amendments to the GDPR include:

  • Raised Notification Threshold: Data breach notifications to authorities would only be required for breaches posing a high risk to individuals.- Extended Deadline: The reporting deadline would be extended from 72 to 96 hours.- Centralized Portal: A single EU breach reporting portal operated by ENISA would be introduced, based on a “report once, share many” principle to address overlapping obligations from GDPR, NIS2, and DORA.

C. UK GDPR Divergence

The UK is actively reforming its data protection framework, signaling a move away from direct alignment with the EU GDPR. The Data (Use and Access) Act 2025, passed in June 2025, introduces several key changes:

  • Recognised Legitimate Interests: Creates a presumption of legitimacy for certain processing activities.- Automated Decision-Making (ADM): Removes the requirement for a specific lawful basis before conducting ADM (except for special category data) to promote AI innovation.- Data Transfer Test: Replaces the EU’s “essential equivalence” test with a new standard requiring that a third country’s safeguards are “not materially lower than” those in the UK.- Enforcement Philosophy: The UK ICO, under John Edwards, has publicly favored industry engagement over large fines, an approach criticized by privacy advocates but consistent with the UK government’s focus on economic growth.

V. Future Outlook and Predictions

Based on the trends and statements from regulators, several key areas will define the GDPR landscape in the coming year.

  • Continued Focus on Security: Enforcement of the GDPR security principle will intensify, driven by geopolitical tensions and the threat of cyber-attacks. There will be a particular focus on supply chain security and the liability of processors who serve multiple controllers.- Emphasis on Governance and Accountability: Regulators are expected to place greater emphasis on the accountability principle, scrutinizing whether organizations conduct effective Data Protection Impact Assessments (DPIAs) for high-risk processing.- Persistent Enforcement Priorities: The core themes of recent years will remain central to regulatory action:The legality of the “consent or pay” model will continue to be debated in courts and by regulators.- The intersection of AI and data protection will see continued investigation and enforcement as regulators and companies define the boundaries of lawful data use.- International data transfers will remain a high-risk, high-penalty area.- The lawfulness, fairness, and transparency principle will continue to be a primary focus for enforcement across all sectors.