How much have EU GDPR fines totaled?

Since GDPR took effect in May 2018, EU data protection authorities have issued over 5 billion euros in fines. The pace of enforcement has accelerated year over year, with more fines targeting mid-sized companies rather than just Big Tech.

Which EU country issues the most GDPR fines?

Ireland's DPC handles the largest fines by value (due to Big Tech headquarters), but France's CNIL issues the most cookie-related fines. Spain's AEPD issues the highest volume of overall fines, though typically smaller amounts. Italy's Garante is also highly active.

Can EU GDPR fines apply to US companies?

Yes. GDPR applies to any organization processing personal data of EU residents, regardless of where the company is based. US companies including Meta, Google, Amazon, and many smaller businesses have been fined by EU data protection authorities.

What triggers a GDPR enforcement action?

Enforcement can be triggered by consumer complaints, coordinated DPA audits (sweeps), NGO complaints (notably from noyb), data breach notifications, or media attention. Cookie consent violations are increasingly a focus of coordinated enforcement across multiple DPAs.

EU Data Privacy News — Latest GDPR Enforcement & Fines

The latest EU data privacy enforcement actions, GDPR fines, and regulatory updates. This page covers enforcement from national DPAs across Europe — CNIL (France), ICO (UK), DPC (Ireland), AEPD (Spain), Garante (Italy), and the EDPB.

Updated regularly — bookmark for the latest privacy enforcement news.

2026 Enforcement Overview

Key enforcement themes emerging in 2026:

Cookie Consent Enforcement Expands

EU DPAs are moving beyond Big Tech to audit mid-market websites and regional businesses. The EDPB's coordinated enforcement framework means a ruling in one country increasingly triggers investigations in others.

What this means for your website: Having a consent banner isn't enough — it must actually block tracking before consent. Scan your site to verify your implementation works.

Google Consent Mode Under Scrutiny

Multiple DPAs have signaled that Google Consent Mode v2 does not automatically satisfy GDPR requirements. The consent signal must reflect genuine user choice, and the CMP implementation must actually block Google tags when consent is denied.

Cross-Border Enforcement Streamlining

The EDPB's dispute resolution improvements are reducing case backlogs. Decisions that previously took years are now resolving in months, meaning enforcement actions have a shorter lag time.

Key EU Data Protection Authorities

CNIL (France)

France's CNIL is the most active enforcer on cookie consent. Their enforcement philosophy:

Rejecting cookies must be as easy as accepting — same number of clicks, same visual prominence
Analytics cookies are not strictly necessary — they require consent
Dark patterns in cookie banners trigger fines — asymmetric buttons, hidden reject options

CNIL has fined Google (150M euros), Meta (60M euros), Microsoft (60M euros), and hundreds of smaller French companies for cookie violations.

ICO (United Kingdom)

The UK's ICO takes a guidance-first approach, preferring education over fines for cookie issues. However, their stance is clear:

Cookie walls are not compliant
Pre-checked consent boxes are invalid
Implied consent (scrolling = consent) does not meet GDPR standards

The ICO's November 2024 cookies guidance update reinforced that analytics cookies require consent and that strictly necessary cookies must be genuinely necessary for the service.

DPC (Ireland)

Ireland's DPC handles cases for companies headquartered in Ireland — Meta, Google, Apple, TikTok, Twitter/X. Their fines tend to be the largest by value:

Meta: 1.2 billion euros (2023) — unlawful data transfers
Meta: 390 million euros (2023) — forced consent for ads
TikTok: 345 million euros (2023) — children's data processing

AEPD (Spain)

Spain's AEPD issues the highest volume of fines in Europe, though typically smaller amounts. Active on consent banners, marketing consent, and employee data issues.

Garante (Italy)

Italy's Garante is active on cookie consent and has issued detailed guidance on cookie banner design. They require:

Specific cookie categories listed in the banner
Technical mechanisms to block cookies before consent
Cookie retention periods disclosed

How Enforcement Works

Complaint-Driven

Anyone can file a complaint with a DPA. The privacy NGO noyb (led by Max Schrems) has filed over 800 cookie complaints across Europe, systematically targeting websites with non-compliant banners.

Coordinated Sweeps

DPAs periodically coordinate to audit websites in specific sectors. Recent sweeps have targeted e-commerce, healthcare, and financial services websites.

Breach Notifications

Under GDPR Article 33, you must notify your DPA within 72 hours of discovering a data breach. Inadequate breach notification often triggers an investigation into broader compliance — including cookie practices.

Staying Ahead of Enforcement

Audit your website regularly — compliance can break when marketing adds new scripts or CMPs update
Ensure reject = accept — same visual weight, same number of clicks
Implement Google Consent Mode v2 — check your implementation
Document your consent mechanism — you'll need to demonstrate compliance if audited
Monitor enforcement trends — a fine in France signals what other DPAs will follow

Resources

Scan your website — free, 60-second compliance audit
Compliance Index — see how websites across industries score
GDPR News Today — broader privacy enforcement coverage
EDPB decisions — binding guidance and cross-border rulings

This page is updated regularly with the latest EU data privacy enforcement news. Last updated: April 2026.