GDPR Fines in 2026: €7.1 Billion in Penalties and What It Means for Your Business
Eight years after GDPR came into force, regulators are no longer warming up. With €1.2 billion in fines issued in 2025 alone and daily breach notifications exceeding 400 for the first time ever, the enforcement machine has shifted into a higher gear — and it is not slowing down in 2026.
The Numbers at a Glance
According to the DLA Piper GDPR Fines and Data Breach Survey (January 2026), the cumulative total of all GDPR fines issued since May 2018 now stands at €7.1 billion. European supervisory authorities issued approximately €1.2 billion in fines in 2025, closely matching 2024 figures and reversing what had briefly appeared to be a downward trend.
Three numbers define where enforcement stands today:
€7.1 billion — total cumulative GDPR fines since May 2018 (as of January 2026)
€1.2 billion — fines issued in 2025 alone
443 per day — average personal data breach notifications, a 22% increase year-on-year and the first time the daily average has exceeded 400 since GDPR came into force
What makes this figure significant is not just the total — it is the acceleration. More than 60% of the entire cumulative fine total has been imposed since January 2023. The grace period is over.
Ireland remains the dominant jurisdiction in fine value, with the Irish Data Protection Commission (DPC) having issued €4.04 billion in cumulative fines since 2018. This is largely a consequence of Ireland being the European headquarters for many of the world's largest technology companies.
In terms of enforcement volume, Germany issued the highest number of individual fines in 2025 — 499 separate decisions. France led in total fine value, issuing €486.8 million across major enforcement actions including cases against Google and SHEIN.
Biggest Fines of 2025–2026
Four landmark enforcement actions stand out from the 2025–2026 enforcement period. Together they account for more than €1.3 billion in penalties and each contains a direct lesson for compliance programmes.
TikTok — €530 million (Ireland DPC, May 2025)
Ireland's Data Protection Commission fined TikTok €530 million for illegally transferring European Economic Area user data to China without adequate safeguards. Regulators found that TikTok had failed to conduct proper Transfer Impact Assessments and that Chinese staff could access EEA user data under Chinese law, which does not offer equivalent protections to GDPR. This is now the second-largest GDPR fine in history and the highest fine issued in 2025.
Google LLC / Google Ireland — €325 million (CNIL, September 2025)
France's data protection authority fined Google €325 million — €200 million against Google LLC and €125 million against Google Ireland — for inserting advertising content into Gmail without user consent and for manipulating cookie acceptance flows during account creation. CNIL found that Google made it significantly easier for users to accept cookies than to reject them, which constitutes a dark pattern under GDPR. This was Google's third cookie-related fine from CNIL, with each penalty larger than the last.
SHEIN — €150 million (CNIL, 2025)
CNIL fined SHEIN €150 million for placing cookies before obtaining user consent and for designing consent flows where rejecting cookies required substantially more steps than accepting them. Regulators tested the website directly rather than relying on complaints — a sign of how proactive enforcement has become.
LinkedIn — €310 million (Ireland DPC, 2024)
Ireland's DPC fined LinkedIn €310 million for relying on invalid consent and an improperly applied legitimate interest basis for processing data for behavioural advertising. The decision clarified that behavioural advertising is not necessary to provide a social media service, effectively closing the "contract necessity" argument that several large platforms had relied on.
Five Key Enforcement Trends in 2026
1. International Data Transfers Remain the Highest-Value Risk
The TikTok fine and the earlier €1.2 billion Meta fine share a common thread: transferring European user data to third countries — the US and China respectively — without legally adequate safeguards. In 2026, the EDPB is coordinating expanded audits of data flows to the United States, China, and other third countries. Standard Contractual Clauses are not sufficient on their own; Transfer Impact Assessments must document actual risk and supplementary measures.
2. Cookie Consent Dark Patterns Are Now a Primary Enforcement Target
CNIL's actions against Google and SHEIN have established a clear and repeatable enforcement pattern. Regulators now actively test websites rather than waiting for complaints. The standard they apply is straightforward: the path to reject cookies must be no harder than the path to accept them. Red flags that trigger enforcement include unequal friction between Accept and Reject buttons, no "Reject All" option on the first consent layer, pre-ticked checkboxes, cookies placed before consent is obtained, and consent banners that do not name third-party recipients.
3. Breach Notifications Reached a New Record — 443 Per Day
DLA Piper's 2026 survey records a 22% year-on-year increase in personal data breach notifications, rising from 363 per day to 443 per day — the first time the daily average has exceeded 400 since GDPR came into force. Geopolitical tensions, the proliferation of AI-assisted attack tools available to threat actors, and expanded mandatory notification requirements under the NIS2 Directive are cited as likely contributing factors. For most organisations, the 72-hour GDPR notification window is no longer a theoretical pressure — it is an active operational one.
4. AI Systems Are Under Increasing Regulatory Scrutiny
The EU AI Act becomes fully applicable in August 2026, adding a parallel enforcement regime with fines of up to 7% of global annual turnover for prohibited AI practices. This operates alongside — not instead of — GDPR. Shadow AI incidents (employees using unapproved AI tools that process personal data) cost organisations an average of $4.63 million, which is $670,000 above the cost of standard data incidents. According to Cisco's 2026 survey, 90% of organisations have expanded their privacy programmes specifically because of AI, yet 63% still have no formal AI governance policy.
5. Enforcement Is No Longer Concentrated in Big Tech
Spain leads all EU member states with over 1,033 enforcement actions, the majority of which target mid-market companies and SMEs rather than technology giants. The Dutch supervisory authority has expanded its focus to include public sector bodies. Finance, healthcare, telecommunications, retail, and energy companies now appear regularly in enforcement decisions across multiple jurisdictions. Sector alone no longer provides protection.
Who Is Being Targeted?
The enforcement map has broadened significantly. While headline fines still tend to involve large technology platforms, the underlying volume of enforcement activity tells a different story.
According to the CMS GDPR Enforcement Tracker and EDPB's 2025 annual report data:
Media, telecommunications, and broadcasting remained the most-fined sector for the fourth consecutive year
Finance and banking saw increased enforcement related to insufficient legal basis for data processing and failures to respond to data subject access requests
Healthcare was a growing target, particularly for inadequate technical and organisational security measures
Public sector organisations — including municipalities — received enforcement actions in the Netherlands and elsewhere in 2025–2026
E-commerce companies, including both large platforms (SHEIN) and smaller retailers, faced cookie compliance and direct marketing enforcement
Only 33% of organisations report complete knowledge of where their personal data is stored, according to the 2026 Thales Data Threat Report. Regulators now treat full data visibility as a baseline compliance requirement, not an aspiration.
The Hidden Risk: Compensation Claims
GDPR enforcement does not end with a supervisory authority fine. A growing body of case law from the Court of Justice of the European Union is widening the path for individuals to bring compensation claims — including for non-material damage — on the back of regulatory decisions.
In practice, a single enforcement decision can open the door to thousands of individual compensation claims. Organisations like noyb have filed strategic complaints across multiple jurisdictions and use regulatory outcomes to anchor civil litigation. The financial exposure from follow-on claims can exceed the original fine itself in cases involving large user bases.
This risk layer is frequently underestimated in compliance budgets. Legal teams managing GDPR programmes in 2026 need to model both the enforcement and litigation exposure from the same underlying violation.
What Your Business Should Do Now
The patterns from 2025–2026 enforcement are consistent enough to map directly onto compliance priorities. The following five areas carry the highest risk based on active enforcement actions:
Audit all international data transfers
Document every transfer of personal data outside the EEA. For each transfer, confirm you have a valid transfer mechanism in place — Standard Contractual Clauses, adequacy decision, or Binding Corporate Rules. Conduct a Transfer Impact Assessment for transfers to the US, China, and other high-risk jurisdictions. The TikTok and Meta cases show that regulators will scrutinise whether the safeguards are genuine, not just formally in place.
Test your cookie consent implementation
Walk through your own consent flow as a regulator would. Is the "Reject All" button available on the first layer? Does it take the same number of clicks as "Accept All"? Are any cookies set before the user makes a choice? CNIL has confirmed it tests websites directly — a Consent Management Platform that passes this test is the practical baseline for most organisations.
Establish an AI governance policy
Even if your organisation uses third-party AI tools rather than building its own, you need a documented policy governing what personal data employees may upload to external AI systems. Shadow AI incidents — employees using unapproved tools — are now a live GDPR risk. The EU AI Act's August 2026 full applicability adds a second compliance layer on top of this.
Strengthen your breach response process
With breach notifications averaging 443 per day across Europe, the 72-hour notification requirement under GDPR Article 33 is a practical operational pressure. Organisations need a documented incident response plan, clear internal escalation paths, and a pre-prepared template for notifying the relevant supervisory authority — before an incident occurs.
Review your legal basis for marketing and advertising
The LinkedIn and Meta decisions have effectively closed the argument that behavioural advertising can rest on "contract necessity" or a broadly applied "legitimate interest". If your organisation uses behavioural advertising or profiling, the legal basis must be genuine, documented consent or a rigorously assessed legitimate interest — and users must be able to object or withdraw consent without losing access to the service.
The Bottom Line
GDPR enforcement in 2026 is not a peak — it is a baseline. The €7.1 billion cumulative total reflects eight years of progressive escalation, and the 2025 figures show no sign of retreat. Regulators have the resources, the coordination mechanisms, and the appetite to continue. The cost of prevention — a proper consent management platform, a data transfer audit, a documented breach response process — remains a fraction of the exposure from a single enforcement action.
The organisations fined in 2025 all had the means to comply. Most underestimated how seriously supervisory authorities would examine the detail of their implementation. In 2026, that margin for error has narrowed further.
Sources
Michael Foster
Web technology specialist focusing on privacy tech