Youtube icon Spotify icon Facebook icon Instagram icon LinkedIn icon
Logo gray

GDPR Enforcement: Progress or Missed Potential?

As GDPR approaches its seventh anniversary, two recent reports shed light on its enforcement landscape. While fines have reached billions, questions remain about the effectiveness of enforcement across Europe.

According to DLA Piper’s survey, European data protection authorities issued €1.2 billion in fines in 2024, bringing the total since 2018 to €5.88 billion. While this figure remains significant, it represents a 33% decrease compared to 2023, largely due to the absence of a record-breaking fine like the €1.2 billion penalty imposed on Meta the previous year. Ireland continues to dominate GDPR enforcement, with a cumulative total of €3.5 billion in fines, including major penalties against LinkedIn and Meta in 2024.

Big tech and social media companies remain the primary targets, but regulators are also expanding their focus to financial services, utilities, and AI-related cases. For instance, the Dutch Data Protection Authority is now considering holding individual executives at Clearview AI personally liable for GDPR breaches - an unprecedented move that could set a new precedent for corporate accountability in data protection.

Despite these figures, enforcement remains inconsistent. A report investigating enforcement practices between 2018-2023 from NGO NOYB (None of Your Business) highlights that only 1.3% of cases before EU Data Protection Authorities (DPAs) resulted in fines (in the case of Hungary, 1,1%). While GDPR gives DPAs broad investigatory powers and the ability to impose substantial penalties, the vast majority of cases do not lead to meaningful enforcement. This has led to growing concerns among privacy advocates that many violations go unpunished, undermining GDPR’s intended impact.

The optimal strategy for enforcing GDPR remains a complex issue. High-profile fines can be a deterrent but require extensive resources to manage and pursue against large, well-resourced multinational companies. Moreover, successful appeals or reductions in fines can undermine the enforcement process, weaken the deterrent effect, and reduce the effectiveness and confidence of data protection authority enforcement teams. In contrast to pursuing large, headline-grabbing fines, some regulators are prioritizing a strategy of issuing frequent, smaller penalties. This approach may not generate the same level of media coverage, but it often results in fewer appeals.

These findings point to an ongoing challenge in GDPR enforcement. While authorities are willing to impose heavy fines on major tech firms, enforcement in other industries remains sporadic. The question moving forward is whether regulators will step up efforts to ensure more consistent compliance across all sectors, or whether high-profile cases will continue to dominate the narrative.

With increasing scrutiny on AI and international data transfers, as well as debates over personal liability for executives, 2025 could be a pivotal year for data protection